Advertisement targeting through embedded scripts in supply-side and demand-side platforms

ABSTRACT

An apparatus and a system of improvement of advertisement targeting through embedded scripts in supply-side and demand-side platforms are disclosed. In one embodiment, a method of a client device includes applying an automatic content recognition algorithm to determine a content identifier of an audio-visual data. The client device then associates the content identifier with an advertisement data based on a semantic correlation between a meta-data of the advertisement provided by a content provider and/or the content identifier. The advertisement targeting may be improved when a script is embedded in the client device, a supply-side platform, and/or a data provider integrated with the supply side platform, to execute arbitrary cross-site scripts in the sandboxed application of the client device. The content identifier may be obfuscated in a manner that it is relevant to a particular demand-side platform to eliminate a need to query the provider of the content identifier on a per ad-spot basis. The demand-side platform may submit requests to the advertising exchange based on a constraint type rather than through a bidding methodology on a per advertisement spot basis.

CLAIM OF PRIORITY

This application is a Continuation application of and claims priorityto, and incorporates herein by reference the entire specification of theU.S. utility application Ser. No. 14/018,415 titled, “ADVERTISEMENTTARGETING THROUGH EMBEDDED SCRIPTS IN SUPPLY-SIDE AND DEMAND-SIDEPLATFORMS” filed on Sep. 4, 2013. The U.S. utility application Ser. No.14/018,415 further claims the priority to the applications:

-   -   1. This disclosure claims priority to, and incorporates herein        by reference the entire Specification of U.S. Provisional Patent        application No. 61/696,711 filed on Sep. 4, 2012 and titled        “SYSTEMS AND METHODS FOR RECOGNIZING CONTENT”.    -   2. This disclosure claims priority to, and incorporates herein        by reference the entire Specification of U.S. Continuation        application Ser. No. 13/470,814 titled “DISCOVERY, ACCESS        CONTROL, AND COMMUNICATION WITH NETWORKED SERVICES FROM WITHIN A        SECURITY SANDBOX” filed on May 14, 2012 and granted into U.S.        Pat. No. 8,539,072 on Sep. 17, 2013.        -   a. which itself is a Continuation patent application of Ser.            No. 12/592,377 titled “DISCOVERY, ACCESS CONTROL, AND            COMMUNICATION WITH NETWORKED SERVICES FROM WITHIN A SECURITY            SANDBOX”, filed on Nov. 23, 2009 and granted into U.S. Pat.            No. 8,180,891 on May 15, 2012.            -   i. which claims priority to U.S. Provisional patent                application 61/118,286 titled “DISCOVERY, ACCESS                CONTROL, AND COMMUNICATION WITH NETWORKED SERVICES FROM                WITHIN A SECURITY SANDBOX” filed on Nov. 26, 2008.    -   3. This disclosure claims priority to, and incorporates herein        by reference the entire specification of U.S. Utility patent        application Ser. No. 13/736,031 titled “ZERO CONFIGURATION        COMMUNICATION BETWEEN A BROWSER AND A NETWORKED MEDIA DEVICE”        filed on Jan. 7, 2013 and granted into U.S. Pat. No. 9,154,942        on Oct. 6, 2015.        -   a. which claims priority to U.S. Provisional patent            application 61/584,168 titled CAPTURING CONTENT FOR DISPLAY            ON A TELEVISION filed on Jan. 6, 2012.

FIELD OF TECHNOLOGY

This disclosure relates generally to the technical field of networking,and in one example embodiment, this disclosure relates to a method, anapparatus, and a system of improvement of advertisement targetingthrough embedded scripts in supply-side and demand-side platforms.

BACKGROUND

A supply-side platform may be a technology platform to enable publishersto manage their advertising impression inventory and/or maximize revenuefrom digital media. A demand-side platform may be a system that allowsbuyers of digital advertising to manage multiple advertising exchangeand/or data exchange accounts through an interface. An advertisingtargeting system may not be able to capture relevant information fromthe supply-side platform and/or a demand-side platform when makingadvertisement placement decisions. This may limit the targetability ofan advertisement to a user.

SUMMARY

An apparatus and a system of improvement of advertisement targetingthrough embedded scripts in supply-side and demand-side platforms aredisclosed. In one aspect, a method of a client device includes applyingan automatic content recognition algorithm to determine a contentidentifier of an audio-visual data. The client device then associatesthe content identifier with an advertisement data based on a semanticcorrelation between a meta-data of the advertisement provided by acontent provider and/or the content identifier. Advertisement targetingis improved when a script is embedded in the client device, asupply-side platform, and/or a data provider integrated with the supplyside platform. Arbitrary cross-site scripts is executed in the sandboxedapplication of the client device. The content identifier is obfuscatedin a manner that it is relevant to a particular demand-side platform toeliminate a need to query the provider of the content identifier on aper ad-spot basis. The demand-side platform submits requests to theadvertising exchange based on a constraint type rather than through abidding methodology on a per advertisement spot basis.

The advertisement data may be generated through an advertising exchangeserver based on the content identifier of the audio-visual data and/or apublic internet-protocol address associated with an applicationrequesting the advertisement data. A provider of the content identifiermay receive a compensation when the advertisement data is associatedwith the audio-visual data based on the public internet protocol addressassociated with the application requesting the advertisement data.

The provider of the content may append a set of content identifiers fromassociated clients and/or a viewing history from associated clients to aplurality of advertisements and/or resells the advertisement data backto the advertising exchange based on the appended content identifiers. Acapture infrastructure may annotate the audio-visual data with a brandname and/or a product name by comparing entries in the master databasewith a closed captioning data of the audio-visual data and/or through anapplication of an optical character recognition algorithm in theaudio-visual data. A sandboxed application of the client device mayrequest access to a microphone and/or a camera on the client device tocapture a raw audio/video data.

The capture infrastructure may process the raw audio/video data with thebrand name and/or the product name by comparing entries in the masterdatabase with the raw audio/video data and/or through the application ofa sensory recognition algorithm of the raw audio/video data. Thesandboxed application may query a MAC address of the sandbox reachableservice in a common private network. The sandbox reachable service mayoptionally verify that the sandboxed application is in the commonprivate network. The sandbox reachable service may communicate a MACaddress of the sandboxed application to the sandboxed application whenthe common private network is shared. The sandboxed application maystore the MAC address of the sandboxed application and/or a uniqueidentifier derived from the MAC address of the sandboxed application.

The sandboxed application may communicate the MAC address and/or theunique identifier to the pairing server. A script may be automaticallyregenerated that is embedded in the client device, a supply-sideplatform, and/or a data provider integrated with the supply sideplatform when the common private network is shared by the sandboxedapplication and/or sandboxed application based on the MAC address of thesandboxed application and/or the unique identifier communicated to thepairing server.

The content identifier may involve a music identification, an objectidentification, a facial identification, and/or a voice identification.A minimal functionality including accessing a tuner and/or a streamdecoder that identifies a channel and/or a content may be found in thenetworked media device. The networked media device may produce an audiofingerprint and/or a video fingerprint that is communicated with thecapture infrastructure.

The capture infrastructure may compare the audio fingerprint and/or thevideo fingerprint with a master database. The capture infrastructure mayfurther annotate the audio-visual data with a logo name by comparingentries in the master database with a logo data of the audio-visual dataidentified using a logo detection algorithm. The capture infrastructuremay automatically divide the audio-visual data into a series of scenesbased on a sematic grouping of actions in the audio-visual data. Theaudio-visual data may be analyzed in advance of a broadcast to determinecontent identifiers associated with each commercial in the audio-visualdata such that advertisements are pre-inserted into the audio-visualdata prior to broadcast.

The capture infrastructure may apply a time-order algorithm toautomatically match advertisements to the audio-visual data when acorrelation pattern is identified by the capture infrastructure withother audio-visual content previously analyzed. The captureinfrastructure may include a buffer that is saved to a persistentstorage and/or for which a label is generated to facilitateidentification of reoccurring sequences. A post processing operation maybe automated through a post-processing algorithm and/or a crowd-sourcedoperation using a plurality of users in which a turing test is appliedto determine a veracity of an input.

A device pairing algorithm may be used in which a cookie data associatedwith a web page visited by the user stored on a browser on the clientdevice is paired with the networked media device when the client deviceis communicatively coupled with the networked media device. A transitivepublic IP matching algorithm may be utilized in which the client deviceand/or the networked media device communicates each public IP addresswith any paired entity to the capture infrastructure. A tag that isunconstrained from a same-origin policy may be used to automaticallyload the advertisement in the browser, the tag is an image tag, a frame,a iframe, and/or a script tag.

An additional metadata including the content identifier and/or theadvertisement based on a video processing algorithm may be referenced.The additional meta data may be a title, a description, a thumbnail, aname of an individual, and/or a historical data. The additional metadatamay be determined from a browser history captured from the client devicebased on a capture policy, and/or correlating a relevance of the browserhistory with the content identifier and/or the advertisement.

In another embodiment, a method of a networked device includes applyingan automatic content recognition algorithm to determine a contentidentifier of an audio-visual data and associating the contentidentifier with an advertisement data based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand/or the content identifier. Advertisement targeting is improved whena script is embedded in the client device, a supply-side platform,and/or a data provider integrated with the supply side platform.Arbitrary cross-site scripts is executed in the sandboxed application ofthe client device. The content identifier is obfuscated in a manner thatit is relevant to a particular demand-side platform to eliminate a needto query the provider of the content identifier on a per ad-spot basis.The demand-side platform submits requests to the advertising exchangebased on a constraint type rather than through a bidding methodology ona per advertisement spot basis.

In yet another embodiment, a system includes a networked device and/or aclient device to apply an automatic content recognition algorithm todetermine a content identifier of an audio-visual data and/or toassociate the content identifier with an advertisement data based on asemantic correlation between a meta-data of the advertisement providedby a content provider and/or the content identifier. In addition, thesystem includes a capture infrastructure to annotate the audio-visualdata with a brand name and/or a product name by comparing entries in themaster database with a closed captioning data of the audio-visual dataand/or through an application of an optical character recognitionalgorithm in the audio-visual data.

Furthermore, the system includes an advertising exchange server togenerate an advertisement based on the content identifier of theaudio-visual data and/or a public internet-protocol address associatedwith an application requesting the advertisement data. In thisembodiment, advertising targeting is improved when a script is embeddedin the client device, a supply-side platform, and/or a data providerintegrated with the supply side platform. Arbitrary cross-site scriptsis executed in the sandboxed application of the client device. Thecontent identifier is obfuscated in a manner that it is relevant to aparticular demand-side platform to eliminate a need to query theprovider of the content identifier on a per ad-spot basis. Thedemand-side platform submits requests to the advertising exchange basedon a constraint type rather than through a bidding methodology on a peradvertisement spot basis.

The methods, system, and/or apparatuses disclosed herein may beimplemented in any means for achieving various aspects, and may beexecuted in a form of machine readable medium embodying a set ofinstruction that, when executed by a machine, causes the machine toperform any of the operations disclosed herein. Other features will beapparent from the accompanying drawing and from the detailed descriptionthat follows.

BRIEF DESCRIPTION OF DRAWINGS

Example embodiments are illustrated by way of example and not limitationin the figures of the accompanying drawing, in which like referencesindicate similar elements and in which:

FIG. 1 is a block diagram of a system of automatic bidirectionalcommunication between multiple devices sharing a common network,according to one embodiment.

FIG. 2 is a block diagram of a system of automatic bidirectionalcommunication between a client device 100 and a networked device 102using a server, according to one embodiment.

FIG. 3 is an exploded view of the security sandbox 104, according to oneembodiment.

FIG. 4 is an exploded view of the pairing server 200, according to oneembodiment.

FIG. 5 is an exploded view of the client device 100, according to oneembodiment.

FIG. 6 is a table of example network information stored in a database422 of a pairing server 200, according to one embodiment.

FIG. 7 is a block diagram of a method by which a security sandbox 104can communicate with a sandbox reachable service 114 that previouslyoperated on a shared network 202, according to one embodiment.

FIG. 8 is a schematic diagram of a private network 800 and a privatenetwork 802 communicating over the public Internet via a NAT device 804and a NAT device 806, according to one embodiment.

Other features of the present embodiments will be apparent from theaccompanying drawings and from the detailed description that follows.

DETAILED DESCRIPTION

An apparatus and a system of improvement of advertisement targetingthrough embedded scripts in supply-side and demand-side platforms aredisclosed.

In one embodiment, a method of a client device 100 includes applying anautomatic content recognition algorithm (e.g., from the algorithmlibrary 107) to determine a content identifier 111 of an audio-visualdata. The client device 100 then associates the content identifier 111with an advertisement data 113 based on a semantic correlation between ameta-data of the advertisement provided by a content provider and/or thecontent identifier 111. Advertisement targeting (e.g., how relevant anadvertisement is to a user) is improved when a script (e.g., aJavascript code, a cookie) is embedded in the client device 100, asupply-side platform (e.g., a technology platform with the singlemission of enabling publishers to manage their ad impression inventoryand maximize revenue from digital media), and/or a data providerintegrated with the supply side platform.

Arbitrary cross-site scripts are executed in the sandboxed application112 of the client device 100. The content identifier 111 are obfuscatedin a manner that it is relevant to a particular demand-side platform(e.g., a system that allows buyers of digital advertising to managemultiple ad exchange and data exchange accounts through one interface)to eliminate a need to query the provider of the content identifier 111on a per ad-spot basis. The demand-side platform submits requests to theadvertising exchange server 115 based on a constraint type rather thanthrough a bidding methodology on a per advertisement spot basis.

The advertisement data 113 may be generated through an advertisingexchange server 115 based on the content identifier 111 of theaudio-visual data and/or a public internet-protocol address associatedwith an application requesting the advertisement data 113. A provider ofthe content identifier 111 may receive a compensation when theadvertisement data 113 is associated with the audio-visual data based onthe public internet protocol address associated with the applicationrequesting the advertisement data 113.

The provider of the content may append a set of content identifiers(e.g., the content identifier 111) from associated clients and/or aviewing history from associated clients to a plurality of advertisementsand/or resells the advertisement data 113 back to the advertisingexchange server 115 based on the appended content identifiers (e.g.,content identifier 111). A capture infrastructure 105 may annotate theaudio-visual data with a brand name and/or a product name by comparingentries in the master database 109 with a closed captioning data of theaudio-visual data and/or through an application of an optical characterrecognition algorithm (e.g., from the algorithm library 107) in theaudio-visual data. A sandboxed application 112 of the client device 100may request access to a microphone and/or a camera on the client device100 to capture a raw audio/video data.

The capture infrastructure 105 may process the raw audio/video data withthe brand name and/or the product name by comparing entries in themaster database 109 with the raw audio/video data and/or through theapplication of a sensory recognition algorithm (e.g., from the algorithmlibrary 107) of the raw audio/video data.

The sandboxed application 112 may query a MAC address of the sandboxreachable service 114 in a common private network. The sandbox reachableservice 114 may optionally verify that the sandboxed application 112 isin the common private network. The sandbox reachable service 114 maycommunicate a MAC address of the sandboxed application 112 to thesandboxed application 112 when the common private network is shared. Thesandboxed application 112 may store the MAC address of the sandboxedapplication 112 and/or a unique identifier derived from the MAC addressof the sandboxed application 112.

The sandboxed application 112 may communicate the MAC address and/or theunique identifier to the pairing server. A script may be automaticallyregenerated that is embedded in the client device 100, a supply-sideplatform, and/or a data provider integrated with the supply sideplatform when the common private network is shared by the sandboxedapplication 112 and/or sandboxed application 112 based on the MACaddress of the sandboxed application 112 and/or the unique identifiercommunicated to the pairing server.

In another embodiment, a method of a networked device includes applyingan automatic content recognition algorithm (e.g., from the algorithmlibrary 107) to determine a content identifier 111 of an audio-visualdata and associating the content identifier 111 with an advertisementdata 113 based on a semantic correlation between a meta-data of theadvertisement provided by a content provider and/or the contentidentifier 111.

In this another embodiment, advertising targeting (e.g., how relevant anadvertisement is to a user) is improved when a script (e.g., aJavascript code, a cookie) is embedded in the client device 100, asupply-side platform (e.g., a technology platform with the singlemission of enabling publishers to manage their ad impression inventoryand maximize revenue from digital media), and/or a data providerintegrated with the supply side platform. Arbitrary cross-site scriptsare executed in the sandboxed application 112 of the client device 100.The content identifier 111 are obfuscated in a manner that it isrelevant to a particular demand-side platform (e.g., a system thatallows buyers of digital advertising to manage multiple ad exchange anddata exchange accounts through one interface) to eliminate a need toquery the provider of the content identifier 111 on a per ad-spot basis.The demand-side platform submits requests to the advertising exchangeserver 115 based on a constraint type rather than through a biddingmethodology on a per advertisement spot basis.

In yet another embodiment, a system includes a networked device and/or aclient device 100 to apply an automatic content recognition algorithm(e.g., from the algorithm library 107) to determine a content identifier111 of an audio-visual data and/or to associate the content identifier111 with an advertisement data 113 based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand/or the content identifier 111. In addition, the system includes acapture infrastructure 105 to annotate the audio-visual data with abrand name and/or a product name by comparing entries in the masterdatabase 109 with a closed captioning data of the audio-visual dataand/or through an application of an optical character recognitionalgorithm (e.g., from the algorithm library 107) in the audio-visualdata.

In one embodiment, a method of a client device 100 includes applying anautomatic content recognition algorithm (e.g., in the algorithm library107) to determine a content identifier 111 of an audio-visual data(e.g., a movie, a television show, an advertisement, etc.). The clientdevice 100 then associates the content identifier 111 with anadvertisement data 113 based on a semantic correlation between ameta-data of the advertisement (a particular advertisement of theadvertisement data 113) provided by a content provider (e.g., anorganization providing advertisements) and/or the content identifier111. A capture infrastructure 105 annotates the audio-visual data with abrand name and/or a product name by comparing entries in the masterdatabase 109 with a closed captioning data of the audio-visual dataand/or through an application of an optical character recognitionalgorithm (e.g., in the algorithm library 107) in the audio-visual data.The content identifier 111 may involve a music identification, an objectidentification, a facial identification, and/or a voice identification.A minimal functionality including accessing a tuner and/or a streamdecoder that identifies a channel and/or a content may be found in thenetworked media device (e.g., the networked device 102). The networkedmedia device (e.g., the networked device 102) may produce an audiofingerprint and/or a video fingerprint that is communicated with thecapture infrastructure 105.

The capture infrastructure 105 may compare the audio fingerprint and/orthe video fingerprint with a master database 109. The captureinfrastructure 105 may further annotate the audio-visual data with alogo name by comparing entries in the master database 109 with a logodata of the audio-visual data identified using a logo detectionalgorithm (e.g., in the algorithm library 107). The captureinfrastructure 105 may automatically divide the audio-visual data into aseries of scenes based on a sematic grouping of actions in theaudio-visual data. The audio-visual data may be analyzed in advance of abroadcast to determine content identifiers (e.g., the content identifier111) associated with each commercial in the audio-visual data such thatadvertisements are pre-inserted into the audio-visual data prior tobroadcast.

The capture infrastructure 105 may apply a time-order algorithm (e.g.,in the algorithm library 107) to automatically match advertisements tothe audio-visual data when a correlation pattern is identified by thecapture infrastructure 105 with other audio-visual content previouslyanalyzed. The capture infrastructure 105 may include a buffer that issaved to a persistent storage and/or for which a label is generated tofacilitate identification of reoccurring sequences. A post processingoperation may be automated through a post-processing algorithm (e.g., inthe algorithm library 107) and/or a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input.

A device pairing algorithm (e.g., in the algorithm library 107) may beused in which a cookie data associated with a web page visited by theuser stored on a browser on the client device 100 is paired with thenetworked media device (e.g., the networked device 102) when the clientdevice 100 is communicatively coupled with the networked media device(e.g., the networked device 102). A transitive public IP matchingalgorithm (e.g., in the algorithm library 107) may be utilized in whichthe client device 100 and/or the networked media device (e.g., thenetworked device 102) communicates each public IP address with anypaired entity to the capture infrastructure 105. A tag that isunconstrained from a same-origin policy may be used to automaticallyload the advertisement in the browser, the tag is an image tag, a frame,a iframe, and/or a script tag.

An additional metadata including the content identifier 111 and/or theadvertisement based on a video processing algorithm (e.g., in thealgorithm library 107) may be referenced. The additional meta data maybe a title, a description, a thumbnail, a name of an individual, and/ora historical data. The additional metadata may be determined from abrowser history captured from the client device 100 based on a capturepolicy, and/or correlating a relevance of the browser history with thecontent identifier 111 and/or the advertisement.

In another embodiment, a method of a networked device includes applyingan automatic content recognition algorithm (e.g., in the algorithmlibrary 107) to determine a content identifier 111 of an audio-visualdata, and associating the content identifier 111 with an advertisementdata 113 based on a semantic correlation between a meta-data of theadvertisement provided by a content provider and/or the contentidentifier 111. In this other aspect, a capture infrastructure 105annotates the audio-visual data with a brand name and/or a product nameby comparing entries in the master database 109 with a closed captioningdata of the audio-visual data and/or through an application of anoptical character recognition algorithm (e.g., in the algorithm library107) in the audio-visual data.

In yet another embodiment, a system includes a networked device and/or aclient device 100 to apply an automatic content recognition algorithm(e.g., in the algorithm library 107) to determine a content identifier111 of an audio-visual data and/or to associate the content identifier111 with an advertisement data 113 based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand/or the content identifier 111. The system also includes a captureinfrastructure 105 to annotate the audio-visual data with a brand nameand/or a product name by comparing entries in the master database 109with a closed captioning data of the audio-visual data and/or through anapplication of an optical character recognition algorithm (e.g., in thealgorithm library 107) in the audio-visual data.

FIG. 1 is a block diagram of a system of automatic bidirectionalcommunication (e.g., sending and receiving information in bothdirections without prior configuration by a human) between multipledevices sharing a common network, according to one embodiment. FIG. 1shows a client device 100, a networked device 102, a security sandbox104, an executable environment 106, a processor 108, a storage 109, amemory 110, a sandboxed application 112, and a sandbox reachable service114. The client device 100 communicates bidirectionally with thenetworked device 102 of FIG. 1.

According to one embodiment, a client device 100 may be a computer, asmartphone, and/or any other hardware with a program that initiatescontact with a server to make use of a resource. A client device 100 mayconstrain an executable environment 106 in a security sandbox 104,execute a sandboxed application 112 in a security sandbox 104 using aprocessor 108 and a memory 110, and automatically instantiate (e.g.,manifest) a connection (e.g., a complete path between two terminals overwhich two-way communications may be provided) between a sandboxedapplication 112 and a sandbox reachable service 114 of the networkeddevice 102.

According to one embodiment, a networked device 102 may be a television,stereo, game console, another computer, and/or any other hardwareconnected by communications channels that allow sharing of resources andinformation. A networked device 102 may comprise a number of sandboxreachable applications. A networked device 102 may announce a sandboxreachable service 114 using a processor 108 and a memory 110. Accordingto one embodiment, a processor 108 may be a central processing unit(CPU), a microprocessor, and/or any other hardware within a computersystem which carries out the instructions of a program by performing thebasic arithmetical, logical, and input/output operations of the system.According to one embodiment, a memory 110 may be a random access memory(RAM), a read only memory (ROM), a flash memory, and/or any otherphysical devices used to store programs or data for use in a digitalelectronic device.

The security sandbox 104, the processor 108, the storage 109, and thememory 110 each exist within the client device 100 of FIG. 1, and theycommunicate bidirectionally with each other. According to oneembodiment, a security sandbox 104 may be an operating system on whichthe sandboxed application 112 is hosted, a browser application of theoperating system, and/or any other mechanism for separating runningprograms to execute untested code and/or untrusted programs fromunverified third-parties, suppliers, untrusted users, and untrustedwebsites. According to one embodiment, a storage 109 may be a technologyconsisting of computer components and recording media used to retaindigital data.

The executable environment 106 exists within the security sandbox 104 ofFIG. 1. According to one embodiment, an executable environment 106 maybe a virtual machine, a jail, a scripting language interpreter, ascratch space on disk and memory, and/or any other tightly controlledset of resources in which to run guest programs.

The sandboxed application 112 exists within the executable environment106 of FIG. 1. According to one embodiment, a sandboxed application 112may be an untested code, an untrusted program (e.g., from an untrustedweb page), and/or any other software that can be executed with theappropriate runtime environment of the security sandbox 104.

The sandbox reachable service 114 exists within the networked device 102of FIG. 1. According to one embodiment, a sandbox reachable service 114may be a smart television application, a set-top box application, anaudio device application, a game console application, a computerapplication, and/or any other service that can be discovered andcommunicated with from within the sandboxed application 112. FIG. 1 mayencompass constraining a sandbox reachable service 114 in a securitysandbox 104 where it is described sandbox reachable service 114,according to one embodiment. A security sandbox 104 may not allow asandbox reachable service 114 that is constrained in the securitysandbox 104 to open a server socket and receive inbound connections.However, a sandbox reachable service 114 that is constrained in thesecurity sandbox 104 may still announce and be discovered, but allcommunications between a client device 100 and a networked device 102may need to traverse through a relay in a pairing server 200.

FIG. 2 is a block diagram of a system of automatic bidirectionalcommunication between a client device 100 and a networked device 102using a server, according to one embodiment. FIG. 2 shows a clientdevice 100, a networked device 102, a security sandbox 104, anexecutable environment 106, a processor 108, a memory 110, a sandboxedapplication 112, a pairing server 200, a shared network 202, a Wide AreaNetwork (WAN) 204, a devices 206, a global unique identifier (GUID) 208,an alphanumeric name 210, a private address pair 212, a sandboxreachable service 114, an identification data 216, a switch 218, apublic address pair 220, and a hardware address 222.

The client device 100, the networked device 102, and the devices 206communicate bidirectionally with each other through the switch 218 inthe shared network 202. According to one embodiment, a devices 206 maybe a television, a projection screen, a multimedia display, atouchscreen display, an audio device, a weather measurement device, atraffic monitoring device, a status update device, a global positioningdevice, a geospatial estimation device, a tracking device, abidirectional communication device, a unicast device, a broadcastdevice, a multidimensional visual presentation device, and/or any otherdevices with a network interface. According to one embodiment, a switch218 may be a telecommunication device (e.g., a broadcast, multicast,and/or anycast forwarding hardware) that receives a message from anydevice connected to it and then transmits the message only to the devicefor which the message was meant.

According to one embodiment, a shared network 202 may be a local areanetwork, a multicast network, an anycast network, a multilan network, aprivate network (e.g., any network with a private IP space), and/or anyother collection of hardware interconnected by communication channelsthat allow sharing of resources and information. When a sandboxedapplication 112 and a sandbox reachable service 114 communicate in ashared network 202 common to the client device 100 and a networkeddevice 102 when a connection is established, a client device 100 mayeliminate a communication through a centralized infrastructure (e.g., apairing server 200 which may be used only for discovery), minimizelatency in the communication session (e.g., by establishing a connectionbetween a client device 100 and a networked device 102 rather than byrelaying via a pairing server 200), and improve privacy in thecommunication session.

FIG. 2 may encompass establishing a shared network 202 based on abidirectional communication that does not use a relay service where itis described a shared network 202, according to one embodiment. Multiplelocal area networks (LANs) may share a public IP address. A clientdevice 100 may reside on one LAN, and a sandbox reachable service 114may reside on another LAN. A client device 100 may discover a sandboxreachable service by matching public Internet Protocol (IP) addresses.However, a sandbox reachable service 114 that is not constrained to asecurity sandbox 104 may have an unconstrained view (e.g., it may haveaccess to Media Access Control addresses, Address Resolution Protocol,and/or routing tables) of a shared network 202.

A client device 100 may attempt to communicate with a sandbox reachableservice 114 (e.g., by opening a Transmission Control Protocol connectionand/or by sending a User Datagram Protocol datagram) without using arelay service. A shared network 202 may be established if a connectionsuccessfully handshakes, a datagram arrives, and/or the client device100 and the sandbox reachable service 114 otherwise communicatebidirectionally without using a relay service.

FIG. 2 may also encompass establishing a shared network 202 based on adetermination that a client device 100 and a sandbox reachable service114 reside on a same LAN where it is described a shared network 202,according to one embodiment. For example, a networked device 102 maybroadcast ping (e.g., using Internet Control Message Protocol) andlisten for a response from a client device 100.

FIG. 2 may further encompass establishing a shared network 202 by usingan address resolution protocol (e.g., ARP) where it is described ashared network 202, according to one embodiment. A sandbox reachableservice 114 may determine that a client device 100 resides on a same LANif the IP address of the client device 100 can be resolved to a LANaddress using an IP-to-LAN address resolution protocol (e.g., ARP).

The shared network 202 communicates with the pairing server 200 throughthe WAN 204. According to one embodiment, a pairing server 200 may be acomputer hardware system dedicated to enabling communication between asandboxed application 112 and a sandbox reachable service 114. Accordingto one embodiment, a WAN 204 may be the Internet and/or any othertelecommunications network that links across metropolitan, regional,and/or national boundaries using private and/or public transports. Anetworked device 102 may announce an availability of a sandbox reachableservice 114 across a range of public addresses such that a sandboxedapplication 112 communicates with the sandbox reachable service 114 inany one of the range of the public addresses. However, a range of publicaddresses may be known by a pairing server 200 so that the announcementof the availability of a sandbox reachable service 114 across a range ofpublic addresses is unnecessary.

The identification data 216 exists within the sandbox reachable service114 of FIG. 2. According to one embodiment, an identification data 216may be a reference information associated with an application sharing apublic address with a client device 100, a networked device 102, and/ora devices 206 (e.g., to define a network in which the client device 100,the networked device 102, and/or the devices 206 reside). A clientdevice 100 may access a pairing server 200 when processing anidentification data 216 associated with a sandbox reachable service 114sharing a public address with the client device 100. A pairing server200 may perform a discovery lookup of any device that has announced thatit shares a public address associated with the client device 100.Further, a sandbox reachable service 114 may announce itself to apairing server 200 prior to the establishment of a communication sessionbetween a sandboxed application 112 and the sandbox reachable service114.

The GUID 208, the alphanumeric name 210, the private address pair 212,the public address pair 220, and the hardware address 222 each existwithin the identification data 216 of FIG. 2. According to oneembodiment, a GUID 208 may be a 128-bit reference number used bysoftware programs to uniquely identify the location of a data object.For example, FIG. 2 may be applicable to a GUID 208 of a sandboxreachable service 114 and/or a networked device 102 where it isdescribed a global unique ID 208. It may be preferable to have aone-to-one mapping between a GUID 208 and a networked device 102.However, in the case when a sandbox reachable service 114 may beconstrained to a security sandbox 104, the sandbox reachable service 114may have no way of determining its own IP address and/or whether itresides on a same device with other services. In this case, everysandbox reachable service 114 on the same device may have its own GUID208.

According to one embodiment, an alphanumeric name 210 may be a “Vizio®36″ TV,” a “living room TV,” a “bedroom printer,” and/or any otherhuman-friendly reference name of a networked device 102. According toone embodiment, a private address pair 212 may be a private InternetProtocol (IP) address and a port number associated with an applicationthat sends and/or receives packets. According to one embodiment, apublic address pair 220 may be a public IP address and a port number 604associated with an application that sends and/or receives packets.According to one embodiment, a hardware address 222 may be a MediaAccess Control (MAC) address, a physical address, Ethernet hardwareaddress (EHA), and/or any other unique identifier assigned to networkinterfaces for communications on the physical network segment.

A client device 100 may process an identification data 216 associatedwith a sandbox reachable service 114 sharing a public address with theclient device 100 and determine a private address pair 212 of thesandbox reachable service 114 based on the identification data 216. Anetworked device 102 may also communicate a global unique identifier 208and/or an alphanumeric name 210 to a pairing server 200 along with ahardware address 222 associated with the networked device 102, a publicaddress pair 220 associated with a sandbox reachable service 114 of thenetworked device 102, and/or a private address pair 212 associated withthe sandbox reachable service 114 of the networked device 102.

FIG. 3 is an exploded view of the security sandbox 104, according to oneembodiment. FIG. 3 shows a security sandbox 104, a sandboxed application112, a same origin policy exception 300, a web page 302, a script 304, abinary executable 306, an intermediate bytecode 308, an abstract syntaxtree 310, an executable application 312, a HyperText Markup Language 5(HTML5) application 314, a Javascript® application 316, an Adobe® Flash®application 318, an Asynchronous Javascript® and XML (AJAX) application320, a JQuery® application 324, a Microsoft® Silverlight® application326, a hyperlink 328, a frame 330, a script 332, an image 334, a header336, and a form 338.

The sandboxed application 112 exists within the security sandbox 104 ofFIG. 3. The web page 302, the script 304, the binary executable 306, theintermediate bytecode 308, the abstract syntax tree 310, and theexecutable application 312 are listed as general examples of thesandboxed application 112 of FIG. 3. According to one embodiment, a webpage 302 may be a document and/or an information resource that issuitable for the World Wide Web and can be accessed through a webbrowser and displayed on a monitor and/or a mobile device. According toone embodiment, a script 304 may be a program written for a softwareenvironment that automates the execution of tasks which couldalternatively be executed one-by-one by a human operator.

According to one embodiment, a binary executable 306 may be a binaryfile that may include a program in machine language which is ready to berun. According to one embodiment, an intermediate bytecode 308 may be aprogramming language implementation of instruction set designed forefficient execution by a software interpreter. According to oneembodiment, an abstract syntax tree 310 may be a tree representation ofthe abstract syntactic structure of source code written in a programminglanguage. According to one embodiment, an executable application 312 maybe a file that causes a computer to perform indicated tasks according toencoded instructions.

The HTML5 application 314, the Javascript® application 316, the Adobe®Flash® application 318, the Microsoft® Silverlight® application 326, theJQuery® application 324, and the AJAX application 320 are listed asspecific examples of the general examples of FIG. 3. According to oneembodiment, a HTML5 application 314 may be a program written in thefifth revision of the hypertext markup language standard for structuringand presenting content for the World Wide Web. According to oneembodiment, a Javascript® application 316 may be a program written in ascripting language commonly implemented as part of a web browser inorder to create enhanced user interfaces and dynamic websites. Accordingto one embodiment, an Adobe® Flash® application 318 may be a programwritten for a multimedia and software platform used for authoring ofvector graphics, animation, games and Rich Internet Applications (RIAs)which can be viewed, played, and executed in Adobe® Flash® Player.

According to one embodiment, an AJAX application 320 may be a programusing a XMLHttpRequest method, a program using a Msxml2.XMLHTTP method,a program using a Microsoft.XMLHTTP method, and/or any other web programthat can send data to and retrieve data from a server in the backgroundwithout interfering with the display and behavior of the existing page.According to one embodiment, a JQuery® application 324 may be a programwritten using a multi-browser collection of pre-written Javascript®designed to simply the client-side scripting of HTML. According to oneembodiment, a Microsoft® Silverlight® application 326 may be a programwritten in a framework for writing and running RIAs with features andpurposes similar to those of Adobe® Flash®.

The same origin policy exception 300 extends horizontally below thesecurity sandbox 104 of FIG. 3. According to one embodiment, a sameorigin policy exception 300 may be a cross-domain scripting technique, across-site scripting technique, a document.domain property, aCross-Origin Resource Sharing (CORS), a cross-document messaging, atechnique for relaxing a policy preventing access to methods andproperties across pages on different sites, and/or an access controlalgorithm governing a policy through which a secondary authentication isrequired when establishing a communication between the sandboxedapplication 112 and the networked device 102.

A client device 100 may establish a communication session between asandboxed application 112 and a sandbox reachable service 114 using across-site scripting technique of a security sandbox 104. A clientdevice 100 may also append a header 336 of a hypertext transfer protocolto permit a networked device 102 to communicate with a sandboxedapplication 112 as a permitted origin domain through a Cross-originresource sharing (CORS) algorithm. Further, a client device 100 mayutilize a same origin policy exception 300 through a use of a hyperlink328, a form 338, a script 332, a frame 330, a header 336, and/or animage 334 when establishing the connection between a sandboxedapplication 112 and a sandbox reachable service 114.

For example, FIG. 3 may encompass a HTML5 cross-domain scripting usingpostMessage where it is described HTML5 application 314. WithpostMessage, a calling window may call any other window in a hierarchyincluding those in other domains. A receiving window may set up amessage listener to receive said message and can return results byposting a result message back to a calling frame. Assuming a web pageresiding at http://example.com/index.html:

<iframe src=”http://bar.com” id=”iframe”></iframe> <form id=”form”> <input type=”text″ id=″msg″ value=″Message to send″/>  <inputtype=″submit″/> </form> <script> window.onload = function( ){ var win =document.getElementById(″iframe″).contentWindow;document.getElementById(″form″).onsubmit = function(e){ win.postMessage(document.getElementById(″msg″).value ); e.preventDefault( ); }; };</script>

An iframe may load the following HTML from bar.com:

<b>This iframe is located on bar.com</b> <div id=“test”>Send me amessage!</div> <script> document.addEventListener(“message”,function(e){ document.getElementById(“test”).textContent = e.domain + “said: ” + e.data; }, false); </script>

When a user 820 (e.g., a human agent who uses a service) clicks on thesubmit button, a message may be posted to the frame read from bar.comwhich changes “Send me a message!” to http://bar.com said: Message tosend.

The hyperlink 328, the frame 330, the script 332, the image 334, theheader 336, and the form 338 comprise aspects of the same origin policyexception 300 of FIG. 3. According to one embodiment, a hyperlink 328may be a reference to data that a reader can directly follow and/or thatis followed automatically. FIG. 3 may also be applicable to a hyperlinksend message interface (e.g., a mechanism by which a sandboxedapplication 112 sends a message to a pairing server 200) where it isdescribed a hyperlink 328 using an <A> tag to send a message to apairing server 200 comprised of a discovery service and a relay service.The <A> tag may link to pages that are not in a same domain as a webpage being viewed in a browser. As such a link may point to the pairingserver 200 and arguments to be passed in a message may be encoded askey-value pairs in a uniform resource identifier (URI) query string. Forexample,

-   -   <A HREF=http://pairing_server.com/f?a=10&b=bar>call f</A>

A sandboxed application 112 may announce to the pairing server 200. At alater time, a user 820 may visit example.com and view index.html. Whenthe user 820 clicks on a “call f” hyperlink, a HTTP request may be sentto the pairing server 200. “f” may refer to a path to some arbitraryfunction and key-value pairs a=10 and/or b=bar may be arguments to thatfunction. The pairing server 200 may receive an HTTP GET like thisrequest generated using Google Chrome™:

GET /f?a=10&b=bar HTTP/1.1 Host: pairing_server.com Connection:keep-alive Referer: http://example.dom/index.html Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63Safari/534.3 Accept-Encoding: gzip,deflate,sdch Accept-Language:en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

The URI may not indicate to which service a message is intended. Thismay be interpreted by the pairing server 200 as a private broadcastmeaning that a message passed via a message query interface (e.g., amechanism to communicate a message from a pairing server 200 to asandbox reachable service 114) is passed to all sandbox reachableservices in a shared network 202. In this case, a response HTML maysimply be a new web page that may include a confirmation dialog and/or anotification that a message has been sent.

According to one embodiment, a frame 330 may be a frameset, an inlineframe, and/or any display of web pages and/or media elements within thesame browser window. According to one embodiment, a script 332 may be aHTML tag used to define a program that may accompany an HTML documentand/or be directly embedded in it. FIG. 3 may encompass a SCRIPT tagwhere it is described a script 332 used to contact the pairing server200. For example, a server may deliver an http://example.com/index.htmlthat may include a cross-site <script> tag as follows:

<html>...<head> <script type=″text/Javascript″> function lookup_cb(d) {var services = d[″services″]; var slen = services.length; var s, len; s=″<ul>″; for ( var i = 0; i < slen; ++i ) s = s + ″<li>″ +services[i].name + ″</li>″; s = s + ″</ul>″;document.getElementById(″services″).innerHTML=s; }</script></head><body> ... <div id=”services”></div> ... <scriptid=″external_script″ type=″text/Javascript″></script> <script>document.getElementById(″external_script″).src =″http://pairing_server.com/fling/lookup?callback=lookup_cb″;</script></body></html>

In the example above, Javascript® may replace a source of a <script>with id “external_script” with a script downloaded from the pairingserver 200. A call being made to a sandbox reachable service 114 may beembedded in a call to “lookup” with a single argument“callback=lookup_cb.” The pairing server 200 may return a script thatmay include a result, e.g.,

lookup_cb({ “services”: [...], “yourip”: “69.106.59.218”, “version”:“1.0”, “interval”: 900 })

The result above may include a list of “services” discovered in a user's(e.g., the user of the client device 100) shared network 202. The resultmay be encapsulated inside a call to lookup_cb which was a callbackpassed in a SRC URI to an external_script <script> tag. A returnedscript may be automatically executed, causing lookup_cb to be called.lookup_cb may iterate over services in a result and may output them intothe HTML of the web page http://example.com/index.html.

According to one embodiment, an image 334 may be a HTML tag thatincorporates inline graphics into an HTML document. FIG. 3 may alsoencompass an <A> tag encapsulating an <IMG> tag where it is described animage 334, thereby allowing a link to take on the appearance of abutton, according to one embodiment. With Javascript® a behavior of theimage may be scripted to make the button change appearance when a mousepasses over the button or when a user clicks on the button, therebymaking the image behave more like a button. For example,

<A HREF=″http://pairing_server.com/f?a=10&b=bar″><IMG SRC=”f.jpg”>callf</IMG></A>

FIG. 3 may also be applicable to an IMG tag where it is described animage 334 used to communicate a call, according to one embodiment. Forexample,

-   -   <IMG SRC=“http://pairing_server.com/f?a=10&b=bar”>calling f . .        . </IMG>

This example may correspond to a call f with arguments a=10 and/orb=bar. The pairing server 200 sees

GET /f?a=10&b=bar HTTP/1.1 Host:ec2-204-236-247-87.compute-1.amazonaws.com:7878 Connection: keep-aliveReferer: http://dave.flingo.org/browser_behavior_tests/img_link.htmlCache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Macintosh;U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko)Chrome/6.0.472.63 Safari/534.3 Accept-Encoding: gzip,deflateAccept-Language: en-US,en;q=0.8 Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3

A browser may expect an image to be returned by this request. As aresult, an IMG send message interface may not threaten a calling webpage with script injection attacks. However, it may limit what can bereturned with an IMG tag. The pairing server 200 may return a validtransparent IMG with width and height set to communicate a pair. Sincean IMG body has been loaded into the calling web page, the height andwidth of the image are immediately available to the calling page usingJavascript®, e.g.,

<HTML> <HEAD> ... <script type=″text/Javascript″> function loaded( ) {var im = document.getElementById(″image″) alert( ″image height=″ +im.height + ″ width=″ + im.width ); } </script> </HEAD><BODY>... <IMGID=″image″ SRC=”http://pairing_server.com/f?a=10&b=bar” onload=″loaded();″></IMG> </BODY> </HTML>

According to one embodiment, a header 336 may be an origin header, areferrer header, and/or any other supplemental data placed at thebeginning of a block of data being stored and/or transmitted. FIG. 3 maybe applicable to a passing of a URI of a web page that may include ahyperlink along with a GET request in a “referer [sic]” URI header whereit is described a header 336 when a user 820 clicks on a hyperlinkrendered from an <A> tag. A pairing server 200 can interpret a refererURI as an URI of a web page to be relayed to a sandbox reachable service114 that can render web pages. For example, the following hyperlinkappears in the web page http://example.com/foo.html

-   -   <A HREF=http://pairing_server.com/fling> fling this web page        </A>

When a user 820 clicks on “fling this page,” the pairing server 200 mayread the referer URI (e.g., associated with a client device 100) todetermine that the page http://example.com/foo.html should be relayed tothe receiving sandbox-reachable services.

FIG. 3 may also encompass interpreting a referer URI dependent on pagecontent where it is described a header 336, according to one embodiment.For example, a web page 302 that may include a video may cause areference to the video to be passed to a networked device 102.Similarly, a web page 302 that may include an audio may cause areference to the audio to be passed to a networked device 102.

According to one embodiment, a form 338 may be a HTML tag that allows aweb user to enter data that is sent to a server for processing. Forexample, FIG. 3 may encompass a sandboxed application 112 sendingmessages to a sandbox reachable service 114 via HTML FORMs where it isdescribed a form 338. The action of a form may direct the messages viathe pairing server 200. Assume a web page may reside athttp://example.com/index.html and assume a relay infrastructure may runon a server with example domain “pairing_server.com.” The video to berelayed may be titled “Waxing Love.”

<form name=“input” action=“http://pairing_server.com/fling”method=“post”> <INPUT TYPE=“HIDDEN” id=“title” name=“title”value=“Waxing Love” /> <INPUT TYPE=“HIDDEN” id=“description”name=“description” value=“An example video.” /> <INPUT TYPE=“HIDDEN”id=“uri” name=“uri” value=“http://example.com/wax.mp4” /> <INPUTTYPE=“SUBMIT” NAME=“submit” VALUE=“fling” /> </form>

A hidden type may populate an HTTP POST. In this example, an URI of aresource may be passed to a pairing server 200. The pairing server 200may treat the POST as a message to be forwarded to services. In thisexample, the server may see something like:

POST /fling HTTP/1.1

Host: pairing_server.com

Origin: http://example.com/index.html

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us)

AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16

Content-Type: application/x-www-form-urlencoded

Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;

q=0.8,image/png,*/*;q=0.5

Referer: http://example.com/index.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Content-Length: 95

Connection: keep-alive

title=Waxing+Love&description=An+example+video.&uri=http%3A%2F%2Fexample.com%2Fwax.mp4

&submit=fling

The intended message may be encoded in key-value pairs of a messagebody. In this case a title, description, and URI and an operation“fling.”

FIG. 4 is an exploded view of the pairing server 200, according to oneembodiment. FIG. 4 shows a pairing server 200, a discovery module 400, adiscovery algorithm 402, a relay module 404, a relay algorithm 406, aprotocols 408, and a database 422.

The discovery module 400 and the relay module 404 communicate with thedatabase 422, and they all exist within the pairing server 200 of FIG.4. According to one embodiment, a discovery module 400 may be aself-contained component of a pairing server 200 that detects devicesand services on a network. According to one embodiment, a relay module404 may be a self-contained component of a pairing server 200 thattransmits data to an intermediate node located between a source anddestination that are separated by a distance that prevents directcommunications. According to one embodiment, a database 422 may be astructured collection of information.

A networked device 102 may announce a sandbox reachable service 114 to adiscovery module 400. When a shared network 202 is determined to becommonly associated with a client device 100 and a networked device 102,a pairing server 200 may receive, store using a processor 108 and amemory 110, and communicate to a client device 100 a global uniqueidentifier 208 and/or an alphanumeric name 210 in an announcement from anetworked device 102 along with a hardware address 222 associated withthe networked device 102, a public address pair 220 associated with asandbox reachable service 114 of the networked device 102, and/or aprivate address pair 212 associated with the sandbox reachable service114 of the networked device 102. A shared network 202 is determined tobe commonly associated with a client device 100 and a networked device102 when it is presently shared and/or was previously shared by thenetworked device 102 and the client device 100.

The discovery algorithm 402 exists within the discovery module 400 ofFIG. 4. According to one embodiment, a discovery algorithm 402 may be aprocedure for detecting devices and services on a network. A serviceagent module of a networked device 102 may coordinate communicationswith a discovery module 400 of a security sandbox 104 and/or a pairingserver 200. For example, the service agent sits outside a browser orbrowser-like security sandbox thereby allowing it to listen on a socket.Thus, it can act as a means for services on the same device to discoverone another. The service agent may also announce on behalf of service(s)local to that device.

The relay algorithm 406 exists within the relay module 404 of FIG. 4.According to one embodiment, a relay algorithm 406 may be a procedurefor transmitting data to an intermediate node located between a sourceand destination that are separated by a distance that prevents directcommunications. A service agent module of a networked device 102 maycoordinate communications with a discovery module 400 of a securitysandbox 104 and/or a pairing server 200. For example, the service agentsits outside a browser or browser-like security sandbox thereby allowingit to listen on a socket. Thus, it can act as a relay for messagesarriving from a shared network 202.

When a client device 100 and a networked device 102 reside on networksthat are incommunicable with each other comprising a firewallseparation, a different network separation, a physical separation,and/or an unreachable connection separation, a sandboxed application 112of a security sandbox 104 of the client device 100 and a sandboxreachable service 114 of the networked device 102 may communicate witheach other through a relay service employed by a pairing server 200having a discovery module 400 and a relay module 404 to facilitate atrusted communication (e.g., by guarding a GUID 208, a private IPaddress 808, and/or a hardware address 222 of a networked device 102and/or a sandbox reachable service 114 from a sandboxed application 112)between the sandboxed application 112 and the sandbox reachable service114.

The discovery module 400 and the relay module 404 can also communicateusing the protocols 408 of FIG. 4. According to one embodiment, aprotocols 408 may be a system of digital message formats and rules forexchanging those messages in and/or between devices sharing a network.

FIG. 5 is an exploded view of the client device 100, according to oneembodiment. FIG. 5 shows a client device 100, a discovery module 500, arelay module 504, a discovery algorithm 502, a relay algorithm 506, anextension 518, a sandboxed application 112, a protocols 508, a Bonjour®protocol 510, a Simple Service Discovery Protocol (SSDP) protocol 512, alocal service discovery (LSD) uTorrent® protocol 514, a local areanetwork (LAN) based protocol 516, a multicast protocol 519, and ananycast protocol 520.

The extension 518 exists within the client device 100 of FIG. 5.According to one embodiment, an extension 518 may be a program addingthe capabilities of a discovery module 500 and/or a relay module 504 toa browser. A client device 100 may extend a security sandbox 104 with adiscovery algorithm 502 and a relay algorithm 506 through a discoverymodule 500 and a relay module 504 added to the security sandbox 104. Aclient device 100 may also bypass a pairing server 200 having adiscovery algorithm 402 and a relay algorithm 406 when establishing aconnection between a sandboxed application 112 and a sandbox reachableservice 114 when the security is extended with the discovery algorithm502 and the relay algorithm 506 through the discovery module 500 and therelay module 504 added to a security sandbox 104.

The discovery module 500, the relay module 504, and the sandboxedapplication 112 exist within the extension 518 of FIG. 5. The discoverymodule 500 communicates with the relay module 504 of FIG. 5. Accordingto one embodiment, a discovery module 500 may be a self-containedcomponent of a client device 100 that detects devices and services on anetwork. According to one embodiment, a relay module 504 may be aself-contained component of a client device 100 that transmits data toan intermediate node located between a source and destination that areseparated by a distance that prevents direct communications. A networkeddevice 102 may announce a sandbox reachable service 114 to a discoverymodule 500. A networked device 102 may also automatically instantiate acommunication between a sandbox reachable service 114 of the networkeddevice 102 and a client device 100 when a relay module 504 sends arequest from a sandboxed application 112 of the client device 100 to thesandbox reachable service 114.

The discovery algorithm 502 exists within the discovery module 500 ofFIG. 5. A client device 100 may apply a discovery algorithm 502 of asecurity sandbox 104 to determine that a networked device 102 having asandbox reachable service 114 communicates in a shared network 202common to the client device 100 and the networked device 102.

The relay algorithm 506 exists within the relay module 504 of FIG. 5. Aclient device 100 may apply a relay algorithm 506 of a security sandbox104 to establish a connection between a sandboxed application 112 and asandbox reachable service 114 of a networked device 102. A client device100 may utilize a WebSocket (e.g., a web technology providingfull-duplex communications channels over a single Transmission ControlProtocol connection) and/or a long polling service message queryinterface to reduce a latency of message delivery during a trustedcommunication between a sandboxed application 112 and a sandboxreachable service 114. A client device 100 may also optimize a pollingperiod between polling such that it is less than a timeout period of asession through the relay service. A client device 100 may initiate arelay service through a series of web pages where information iscommunicated using a hyperlink 328 that points at a pairing server 200,and/or a form 338 having a confirmation dialog that is submitted back tothe pairing server 200. A global unique identifier 208 (e.g., of asandbox reachable service 114) may be masked through a pairing server200 when a confirmation dialog is served from the pairing server 200.

The discovery algorithm 502 and the relay algorithm 506 can communicateusing the protocols 508 of FIG. 5. The Bonjour® protocol 510, the SSDPprotocol 512, the LSD uTorrent® protocol 514, the LAN-based protocol516, the multicast protocol 519, and the anycast protocol 520 existwithin the protocols 508 of FIG. 5. According to one embodiment, aBonjour® protocol 510 may be a system of technologies including servicediscovery, address assignment, and hostname resolution developed byApple®. According to one embodiment, a SSDP protocol 512 may be anetwork protocol based on the Internet Protocol Suite for advertisementand discovery of network services and presence information that isaccomplished without assistance of server-based configuration mechanismsand without special static configuration of a network host. According toone embodiment, a LSD uTorrent® protocol 514 may be an extension to theBitTorrent® file distribution system that is designed to support thediscovery of local BitTorrent® peers, aiming to minimize traffic throughan Internet service provider's (ISP) channel and minimize use ofhigher-bandwidth LAN while implemented in a client with a small memoryfootprint. According to one embodiment, a LAN-based protocol 516 may bea system of broadcast-based local area network discovery. According toone embodiment, a multicast protocol 519 may be a system of deliveringinformation simultaneously to a group of destination devices in a singletransmission from a source. According to one embodiment, an anycastprotocol 520 may be a system of routing datagrams from a single senderto the topologically nearest node in a group of potential receivers,though it may be sent to several nodes, all identified by the samedestination address.

A discovery algorithm 502 may utilize a protocols 508 comprising aBonjour® protocol 510, a SSDP protocol 512, a LSD uTorrent® protocol514, a multicast protocol 519, an anycast protocol 520, and/or anotherLAN-based protocol 516 that discovers services in a LAN based on abroadcast from any one of an operating system service, a securitysandbox 104, a client device 100, a sandbox reachable service 114, and anetworked device 102.

FIG. 6 is a table of example network information stored in a database422 of a pairing server 200, according to one embodiment. FIG. 6 shows aGUID 208, an alphanumeric name 210, a network 600, a service 601, aNetwork Address Translator (NAT) 602, a port number 604, an IP address606, and a table 650. The GUID 208, the alphanumeric name 210, thenetwork 600, the service 601, the NAT 602, the port number 604, and theIP address 606 are headings for each column of a table 650 of FIG. 6.

According to one embodiment, a network 600 may be a collection ofhardware interconnected by communication channels that allow sharing ofresources and information. According to one embodiment, a service 601may be a description and/or a name of a service provided by a device.According to one embodiment, a NAT 602 may be an indication of whetheror not a NAT device is present on a network 600. According to oneembodiment, a port number 604 may be a 16-bit reference number for aprocess-specific software construct serving as a communications endpointin a computer's host operating system. According to one embodiment, anIP address 606 may be a numerical label assigned to each deviceparticipating in a computer network that uses the Internet Protocol forcommunication. According to one embodiment, a table 650 may be a set ofdata elements that is organized using a model of vertical columns whichare identified by names and horizontal rows. A sandbox reachable service114 may communicate a GUID 208 and/or an alphanumeric name 210 to apairing server 200 along with an IP address 606 and/or a port number 604of the sandbox reachable service 114.

FIG. 7 is a block diagram of a method by which a security sandbox 104can communicate with a sandbox reachable service 114 that previouslyoperated on a shared network 202, according to one embodiment. FIG. 7shows a client device 100, a storage 109, a remote access token 702, aprivate IP address 704, and a hardware address 222. The storage 109exists within the client device 100 of FIG. 7. The remote access token702 exists within the storage 109 of FIG. 7. According to oneembodiment, a remote access token 702 may be an object encapsulating asecurity descriptor of a process so that a client device 100 and anetworked device 102 that previously established a communication sessionautomatically recognize each other. A cookie associated with a securitysandbox 104 may be used to store a remote access token 702 on a storage109 (e.g., Web storage, HTML5 storage) of a client device 100. A clientdevice 100 can communicate with a sandbox reachable service 114 thatpreviously operated on a common shared network 202 through a remoteaccess token 702.

The private IP address 704 and the hardware address 222 comprise aspectsof the remote access token 702 of FIG. 7. According to one embodiment, aprivate IP address 704 may be an IP address of a node on a privatenetwork that may not be used to route packets on the public Internet. Aremote access token 702 may identify a set of communicable privateInternet Protocol (IP) address (e.g., the private ip address 704) and/orhardware addresses (e.g., the hardware address 222) associated with asandbox reachable service 114 that previously operated on a commonshared network 202 with a client device 100. For example, FIG. 7 mayencompass a preference for associating a device with a hardware address222 where it is described a hardware address 222. A private IP address704 may change as devices move between networks. However, a hardwareaddress 222 may be a stable, long-term pseudonym for a device and thusmay serve a good value from which to derive a remote access token 702.

FIG. 8 is a schematic diagram of a private network 800 and a privatenetwork 802 communicating over the public Internet via a NAT device 804and a NAT device 806, according to one embodiment. FIG. 8 shows a clientdevice 100, a networked device 102, a pairing server 200, a privatenetwork 800, a private network 802, a NAT device 804, a NAT device 806,a private IP address 808, a private IP address 810, a public IP address812, a public IP address 814, a tablet device 816, a printer 818, and auser 820.

The private network 800 and the private network 802 communicatebidirectionally through the pairing server 200 of FIG. 8. According toone embodiment, a private network 800 may be a home network and/or anyother network with private IP space that may be behind a NAT device 804.According to one embodiment, a private network 802 may be an officenetwork and/or any other network with private IP space that may bebehind a NAT device 806. A client device 100 (e.g., laptop) and anetworked device 102 (e.g., television) may reside on networks that areincommunicable with each other comprising a firewall separation, adifferent network separation, a physical separation, and/or anunreachable connection separation. A sandboxed application 112 of asecurity sandbox 104 of the client device 100 and a sandbox reachableservice 114 of the networked device 102 may communicate with each otherthrough a relay service employed by a pairing server 200 having thediscovery module and the relay module to facilitate a trustedcommunication between the sandboxed application 112 and the sandboxreachable service 114.

The NAT device 804, the networked device 102, and the tablet device 816are all interconnected and exist within the private network 800 of FIG.8. According to one embodiment, a NAT device 804 may be a device formodifying IP address information in IP packet headers while in transitacross a traffic routing device. According to one embodiment, a tabletdevice 816 may be a one-piece mobile computer, primarily operated bytouchscreen and/or an onscreen virtual keyboard. A NAT device 804 may becoupled with a network on which a networked device 102 operates.

The NAT device 806, the client device 100, and the printer 818 are allinterconnected and exist within the private network 802 of FIG. 8.According to one embodiment, a NAT device 806 may be a device formodifying IP address information in IP packet headers while in transitacross a traffic routing device. According to one embodiment, a printer818 may be a peripheral device which produces a representation of anelectronic document on physical media. A NAT device 806 may be coupledwith a network on which a client device 100 operates.

The NAT device 804 connects to the pairing server 200 through the publicIP address 812 of FIG. 8. The NAT device 804 connects to the networkeddevice 102 through the private IP address 808 of the networked device102 of FIG. 8. According to one embodiment, a public IP address 812 maybe an IP address of a private network 800 that may be used to routepackets on the public Internet. According to one embodiment, a privateIP address 808 may be an IP address of a networked device 102 on aprivate network 800. A trusted communication may be facilitated in amanner such that a sandboxed application 112 never learns a private IPaddress 808 and/or a hardware address 222 of a networked device 102 whena NAT device 804 may translate a private IP address 808 of a networkeddevice 102 to a public IP address 812 visible to a sandboxed application112.

The NAT device 806 connects to the pairing server 200 through the publicIP address 814 of FIG. 8. The NAT device 806 connects to the clientdevice 100 through the private IP address 810 of the client device 100of FIG. 8. According to one embodiment, a public IP address 814 may bean IP address of a private network 802 that may be used to route packetson the public Internet. According to one embodiment, a private IPaddress 810 may be an IP address of a networked device 102 on a privatenetwork 802. A trusted communication may be facilitated in a manner suchthat a sandboxed application 112 never learns a private IP address 808and/or a hardware address 222 of a networked device 102 when a NATdevice 806 may receive communications from a public IP address 812 of aprivate network 800 on which a sandbox reachable service 114 operates.

For example, FIG. 8 may encompass a sandboxed application 112 beingconstrained to know nothing but a description and/or name of a service(e.g., no private IP address 808, no hardware address 222, no GUID 208)where it is described a private IP address 808.

FIG. 8 may also be applicable to a sandboxed application 112 beingconstrained to know nothing at all about who receives a communication(e.g., no private IP address 808, no hardware address 222, no GUID 208,no description and/or name of a service) where it is described a privateIP address 808, according to one embodiment. For example, a sandboxedapplication 112 may include a hyperlink 328 to a pairing server 200 inwhich the hyperlink 328 may specify a message but no recipienthttp://flingo.tv/fling/a?url=url_of_media_to_be_played. A pairing server200 may disambiguate an intended recipient (e.g., by returning a form338 to a user 820 in which the user 820 may select a sandbox reachableservice 114). A returned form 338 may execute in a security sandbox 104associated with a domain of a pairing server 200 which may be differentfrom a security sandbox 104 of a sandboxed application 112.

The user 820 exists within the private network 802 of FIG. 8. Accordingto one embodiment, a user 820 may be a human and/or software agent whouses a computer and/or network service.

In another aspect, a method of a client device includes constraining anexecutable environment in a security sandbox. The method also includesexecuting a sandboxed application in the executable environment using aprocessor and a memory. Further, the method includes automaticallyinstantiating a connection between the sandboxed application and asandbox reachable service of a networked media device.

The method may include processing an identification data associated withthe sandbox reachable service sharing a public address with the clientdevice. The method may also include determining a private address pairof the sandbox reachable service based on the identification data.Additionally, the method may include establishing a communicationsession between the sandboxed application and the sandbox reachableservice using a cross-site scripting technique of the security sandbox.Further, the method may include appending a header of a hypertexttransfer protocol to permit the networked media device to communicatewith the sandboxed application as a permitted origin domain through aCross-origin resource sharing (CORS) algorithm. The header may be eitherone of a origin header when the CORS algorithm is applied and a referrerheader in an alternate algorithm.

The method may further include accessing a pairing server whenprocessing the identification data associated with the sandbox reachableservice sharing the public address with the client device. The pairingserver may perform a discovery lookup of any device that has announcedthat it shares the public address associated with the client device. Thesandbox reachable service may announce itself to the pairing serverprior to the establishment of the communication session between thesandboxed application and the sandbox reachable service. The sandboxreachable service may also announce its availability across a range ofpublic addresses such that the sandboxed application communicates withthe sandbox reachable service in any one of the range of the publicaddresses. However, the range of public addresses may be known by thepairing server so that the announcement of the availability of thesandbox reachable service across the range of public addresses isunnecessary. The sandbox reachable service may communicate a globalunique identifier and/or an alphanumeric name to the pairing serveralong with the private address pair of the sandbox reachable service.The private address pair may include a private IP address and a portnumber associated with the sandbox reachable service.

The method may further include eliminating a communication through acentralized infrastructure when the sandboxed application and thesandbox reachable service communicate in a shared network common to theclient device and the networked media device when the connection isestablished. The shared network may be a local area network, a multicastnetwork, an anycast network, and/or a multilan network. The method mayalso include minimizing a latency in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked mediadevice when the connection is established. Further, the method mayinclude improving privacy in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked mediadevice when the connection is established.

The sandboxed application may be a web page, a script, a binaryexecutable, an intermediate bytecode, an abstract syntax tree, and/or anexecutable application in the security sandbox. The sandboxedapplication may comprise a markup language application such as aHyperText Markup Language 5 (HTML5) application, a Javascript®application, an Adobe® Flash® application, a Microsoft® Silverlight®application, a JQuery® application, and/or an Asynchronous Javascript®and a XML (AJAX) application. An access control algorithm may govern apolicy through which a secondary authentication is required whenestablishing a communication between the sandboxed application and thenetworked media device. The method may include utilizing an exception toa same origin policy through a use of a hyperlink, a form, the script, aframe, a header, and an image when establishing the connection betweenthe sandboxed application and the sandbox reachable service.

The method may include extending the security sandbox with a discoveryalgorithm and a relay algorithm through a discovery module and a relaymodule added to the security sandbox. The method may also includebypassing a pairing server having the discovery algorithm and the relayalgorithm when establishing the connection between the sandboxedapplication and the sandbox reachable service when the security sandboxis extended with the discovery algorithm and the relay algorithm throughthe discovery module and the relay module added to the security sandbox.

The method may further include applying the discovery algorithm of thesecurity sandbox to determine that the networked media device having thesandbox reachable service communicates in a shared network common to theclient device and the networked media device. The method may alsoinclude applying the relay algorithm of the security sandbox toestablish the connection between the sandboxed application and thesandbox reachable service of the networked media device. The discoveryalgorithm may utilize a protocol comprising a Bonjour® protocol, a SSDPprotocol, a LSD uTorrent® protocol, a multicast protocol, an anycastprotocol, and/or another Local Area Network (LAN) based protocol thatdiscovers services in a LAN based on a broadcast from any one of anoperating system service, the security sandbox, the client device, thesandbox reachable service, and the networked media device.

A cookie associated with the security sandbox may be used to store aremote access token on a storage of the client device. The remote accesstoken may identify a set of communicable private Internet Protocol (IP)addresses and/or hardware addresses associated with sandbox reachableservices that previously operated on a common shared network with theclient device. The client device may communicate with the sandboxreachable services that previously operated on the common shared networkthrough the remote access token.

The client device and the networked media device may reside on networksthat are incommunicable with each other comprising a firewallseparation, a different network separation, a physical separation,and/or an unreachable connection separation. The sandboxed applicationof the security sandbox of the client device and the sandbox reachableservice of the networked media device may communicate with each otherthrough a relay service employed by a pairing server having a discoverymodule and a relay module to facilitate a trusted communication betweenthe sandboxed application and the sandbox reachable service.

The trusted communication may be facilitated in a manner such that thesandboxed application never learns a private IP address and/or ahardware address of the networked media device. This may occur when afirst Network Address Translator (NAT) device receives communicationsfrom a public IP address of a different network on which the sandboxreachable service operates, and a second NAT device translates theprivate IP address of the networked media device to the public IPaddress visible to the sandboxed application. The first NAT device maybe coupled with a network on which the client device operates. Thesecond NAT device may be coupled with the different network on which thenetworked media device operates.

The networked media device may comprise a number of sandbox reachableapplications including the sandbox reachable application. A serviceagent module of the networked media device may coordinate communicationswith the discovery module of the security sandbox and/or the pairingserver. The security sandbox may be an operating system on which thesandboxed application is hosted and/or a browser application of theoperating system. The networked media device may be a television, aprojection screen, a multimedia display, a touchscreen display, an audiodevice, and/or a multidimensional visual presentation device.

The method may include utilizing a WebSocket and/or a long pollingservice message query interface to reduce a latency of message deliveryduring the trusted communication between the sandboxed application andthe sandbox reachable service. The method may also include optimizing apolling period between polling such that it is less than a timeoutperiod of a session through the relay service. The method may furtherinclude initiating the relay service through a series of web pages whereinformation is communicated using hyperlinks that point at the pairingserver, and/or a form having a confirmation dialog that is submittedback to the pairing server. A global unique identifier may be maskedthrough the pairing server when the confirmation dialog is served fromthe pairing server.

In one embodiment, a method of a networked device includes announcing asandbox reachable service of the networked device to a discovery moduleusing a processor and memory. The method also includes automaticallyinstantiating a communication between the sandbox reachable service ofthe networked device and a client device when a relay module sends arequest from a sandboxed application of the client device to the sandboxreachable service.

In yet another embodiment, a system includes a networked device toannounce a sandbox reachable service of the networked device to adiscovery module using a processor and memory. The system also includesa client device to constrain an executable environment in a securitysandbox, to execute a sandboxed application in the security sandbox, andto automatically instantiate a connection between the sandboxedapplication and the sandbox reachable service of the networked device.

In still another embodiment, a method of a pairing server includesreceiving, storing using a processor and a memory, and communicating toa client device a global unique identifier and/or an alphanumeric namein an announcement from a networked device along with a hardware addressassociated with the networked device, a public address pair associatedwith a sandbox reachable service of the networked device, and/or aprivate address pair associated with the sandbox reachable service ofthe networked device when a shared network is determined to be commonlyassociated with the client device and the networked device. The sharednetwork is a local area network, a multicast network, an anycastnetwork, and/or a multilan network.

For example, Jane may watch the local news and/or access an applicationthrough her mobile device while sitting on a couch in her living room.Jane may wish to automatically display the local news and/or applicationof a big screen television in front of her couch. Jane may use a gestureto transport the local news and/or application to the big screentelevision. For example, Jane may ‘fling’ (or flick) the screen on hermobile device in which the local news and/or application is running inan upward motion, and instantly transport the local news and/orapplication onto her big screen television. In an alternate embodiment,the big screen television may automatically detect that Jane is playingthe local news and/or running the application on her mobile device andautomatically launch the local news (in its current play state) and/orrun the application on the big screen television after detection(without requiring a fling or flick haptic gesture by Jane).

While Jane is playing the local news and/or running the application onthe big screen television, Jane may see advertisements that relate towhere she is located, where she works, and/or what she is currentlywatching on the big screen television on her mobile device through thecapture infrastructure described herein. Conversely, if Jane wereplaying the local news and/or running the application on her mobiledevice, she could see advertisements directly related to the activitiesshe is currently doing on her big screen television (and orsimultaneously on the mobile device). This is made possible through thevarious methods and techniques described herein, particularly withrespect to improvement of advertisement targeting through embeddedscripts in supply-side and/or demand-side platforms.

Although the present embodiments have been described with reference tospecific example embodiments, it will be evident that variousmodifications and changes may be made to these embodiments withoutdeparting from the broader spirit and scope of the various embodiments.For example, the various devices and modules described herein may beenabled and operated using hardware circuitry (e.g., CMOS based logiccircuitry), firmware, software or any combination of hardware, firmware,and/or software (e.g., embodied in a machine readable medium). Forexample, the various electrical structure and methods may be embodiedusing transistors, logic gates, and/or electrical circuits (e.g.,application specific integrated (ASIC) circuitry and/or Digital SignalProcessor (DSP) circuitry).

In addition, it will be appreciated that the various operations,processes, and/or methods disclosed herein may be embodied in amachine-readable medium and/or a machine accessible medium compatiblewith a data processing system (e.g., a computer device). Accordingly,the specification and drawings are to be regarded in an illustrative inrather than a restrictive sense.

What is claimed is:
 1. A method of a client device comprising:constraining an executable environment in a security sandbox; executinga sandboxed application in the constrained executable environment;through the sandboxed application, associating with a networked mediadevice by way of a sandbox reachable service executing on the networkedmedia device using a communication provided by the networked mediadevice; applying an automatic content recognition algorithm to determinea content identifier of an audio-visual data rendered through thesandboxed application; associating the content identifier with anadvertisement data based on a semantic correlation between a metadata ofthe advertisement data provided by a content provider and the contentidentifier; targeting the advertisement data at the networked mediadevice based on the association of the content identifier with theadvertisement data and the association between the client device and thenetworked media device; and executing, through the sandboxedapplication, arbitrary cross-site scripts to improve targeting of theadvertisement data based on embedding a script in at least one of theclient device, a supply-side platform, and a data provider integratedwith the supply side platform.
 2. The method of claim 1, comprising:associating the content identifier with the advertisement data generatedthrough an advertising exchange server based on the content identifierand a public IP address associated with an application requesting theadvertisement data, wherein at least one of: a provider of the contentidentifier receives a compensation when the advertisement data isassociated with the audio-visual data based on the public IP addressassociated with the application requesting the advertisement data, theprovider of the content identifier appends at least one of a set ofcontent identifiers from associated clients and a viewing history fromthe associated clients to a plurality of advertisements and resells theadvertisement data back to an advertising exchange based on the appendedcontent identifiers, a capture infrastructure annotates the audio-visualdata with at least one of a brand name and a product name by comparingentries in a master database with at least one of a closed captioningdata of the audio-visual data and through application of an opticalcharacter recognition algorithm to the audio-visual data, the methodfurther comprises requesting, through the sandboxed application, accessto at least one of a microphone and a camera on the client device tocapture a raw audio/video data, the capture infrastructure processes theraw audio/video data with the at least one of the brand name and theproduct name by comparing the entries in the master database with atleast one of the raw audio/video data and through application of asensory recognition algorithm of the raw audio/video data, the contentidentifier is at least one of a music identification, an objectidentification, a facial identification, and a voice identification, aminimal functionality comprising accessing at least one of a tuner and astream decoder that identifies at least one of a channel and a contentis found in the networked media device, the networked media deviceproduces at least one of an audio fingerprint and a video fingerprintthat is communicated with the capture infrastructure, the captureinfrastructure compares the at least one of the audio fingerprint andthe video fingerprint with the master database, the captureinfrastructure annotates the audio-visual data with a logo name bycomparing the entries in the master database with a logo data of theaudio-visual data identified using a logo detection algorithm, thecapture infrastructure automatically divides the audio-visual data intoa series of scenes based on a semantic grouping of actions in theaudio-visual data, the audio-visual data is analyzed in advance of abroadcast to determine content identifiers associated with eachcommercial in the audio-visual data such that advertisements arepre-inserted into the audio-visual data prior to broadcast, the captureinfrastructure applies a time-order algorithm to automatically match theadvertisements to the audio-visual data when a correlation pattern isidentified by the capture infrastructure with other audio-visual contentpreviously analyzed, the capture infrastructure includes a buffer thatis saved to a persistent storage and for which a label is generated tofacilitate identification of reoccurring sequences, a post processingoperation is at least one of automated through a post-processingalgorithm and a crowd-sourced operation using a plurality of users inwhich a turing test is applied to determine a veracity of an input, adevice pairing algorithm is used in which a cookie data associated witha web page visited by a user stored on a browser on the client device ispaired with the networked media device when the client device iscommunicatively coupled with the networked media device, a transitivepublic IP matching algorithm is utilized in which at least one of theclient device and the networked media device communicates each public IPaddress with any paired entity to the capture infrastructure, a tag thatis unconstrained from a same-origin policy is used to automatically loadan advertisement in the browser, and the tag is at least one of an imagetag, a frame, a iframe, and a script tag.
 3. The method of claim 2,further comprising: referencing an additional metadata comprising atleast one of the content identifier and the advertisement based on avideo processing algorithm, wherein the additional metadata is at leastone of a title, a description, a thumbnail, a name of an individual, anda historical data, and wherein the additional metadata is determinedfrom a browser history captured from the client device based on acapture policy, and correlating a relevance of the browser history withthe at least one of the content identifier and the advertisement;automatically instantiating a connection between the sandboxedapplication and an unannounced device associated with the networkedmedia device based on the determination that an IP address of a portfrom the unannounced device is associated with the networked mediadevice; processing an identification data associated with the sandboxreachable service sharing a public address with the client device;determining a private address pair of the sandbox reachable servicebased on the identification data; establishing a communication sessionbetween the sandboxed application and the sandbox reachable serviceusing a cross-site scripting technique of the security sandbox;appending a header of a hypertext transfer protocol to permit thenetworked media device to communicate with the sandboxed application asa permitted origin domain through a Cross-origin resource sharing (CORS)algorithm, wherein at least one of: the header is either one of a originheader when the CORS algorithm is applied and a referrer header in analternate algorithm, the sandboxed application queries a MAC address ofthe sandbox reachable service in a common private network, the sandboxreachable service optionally verifies that the sandboxed application isin the common private network, the sandbox reachable servicecommunicates a MAC address of the sandboxed application to the sandboxedapplication when the common private network is shared, the sandboxedapplication stores the MAC address of the sandboxed application and aunique identifier derived from the MAC address of the sandboxedapplication, and the sandboxed application communicates the MAC addressand the unique identifier to a pairing server; and automaticallyregenerating the script embedded in the at least one of the clientdevice, the supply-side platform, and the data provider integrated withthe supply side platform when the common private network is shared bythe sandboxed application and sandboxed reachable service based on theMAC address of the sandboxed application and the unique identifiercommunicated to the pairing server.
 4. The method of claim 3, furthercomprising: extending the security sandbox with a discovery algorithmand a relay algorithm through a discovery module and a relay moduleadded to the security sandbox; and bypassing the pairing server havingthe discovery algorithm and the relay algorithm when establishing thecommunication session between the sandboxed application and the sandboxreachable service when the security sandbox is extended with thediscovery algorithm and the relay algorithm through the discovery moduleand the relay module added to the security sandbox.
 5. The method ofclaim 4, further comprising: applying the discovery algorithm of thesecurity sandbox to determine that the networked media device having thesandbox reachable service communicates in a shared network common to theclient device and the networked media device; and applying the relayalgorithm of the security sandbox to establish the communication sessionbetween the sandboxed application and the sandbox reachable service ofthe networked media device.
 6. The method of claim 4: wherein thediscovery algorithm utilizes a protocol comprising at least one of aBonjour® protocol, a SSDP protocol, a LSD uTorrent® protocol, amulticast protocol, an anycast protocol, and another Local Area Networkbased protocol that discovers services in a Local Area Network based ona broadcast from any one of an operating system service, the securitysandbox, the client device, the sandbox reachable service, and thenetworked media device.
 7. The method of claim 3, further comprising:accessing the pairing server when processing the identification dataassociated with the sandbox reachable service sharing the public addresswith the client device, wherein the pairing server performs a discoverylookup of any device that has announced sharing of the public addressassociated with the client device, and wherein the sandbox reachableservice announces itself to the pairing server prior to theestablishment of the communication session between the sandboxedapplication and the sandbox reachable service.
 8. The method of claim 7,wherein at least one of: the sandbox reachable service announces anavailability of the sandbox reachable service across a range of publicaddresses such that the sandboxed application communicates with thesandbox reachable service in any one of the range of the publicaddresses, the range of public addresses is known by the pairing serverso that the announcement of the availability of the sandbox reachableservice across the range of public addresses is unnecessary, the sandboxreachable service communicates at least one of a global uniqueidentifier and an alphanumeric name to the pairing server along with theprivate address pair of the sandbox reachable service, and the privateaddress pair includes a private IP address and a port number associatedwith the sandbox reachable service.
 9. The method of claim 3, furthercomprising: wherein the sandboxed application is at least one of a webpage, a script, a binary executable, an intermediate bytecode, anabstract syntax tree, and an executable application in the securitysandbox, wherein the sandboxed application comprises at least one of aHyperText Markup Language 5 (HTML5) application, a Javascript®application, an Adobe® Flash® application, a Microsoft® Silverlight®application, a JQuery® application, an Asynchronous Javascript® and anXML (AJAX) application, and wherein an access control algorithm governsa policy through which a secondary authentication is required whenestablishing the communication session between the sandboxed applicationand the networked media device.
 10. The method of claim 9, furthercomprising: utilizing an exception to a same origin policy through a useof at least one of a hyperlink, a form, the script, a frame, a header,and an image when establishing the communication session between thesandboxed application and the sandbox reachable service.
 11. The methodof claim 3, further comprising: eliminating a communication through acentralized infrastructure when the sandboxed application and thesandbox reachable service communicate in a shared network common to theclient device and the networked media device when the connection isinstantiated, the shared network being at least one of a local areanetwork, a multicast network, an anycast network, and a multilannetwork; minimizing a latency in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked mediadevice when the connection is instantiated; and improving privacy in thecommunication session when the sandboxed application and the sandboxreachable service communicate in the shared network common to the clientdevice and the networked media device when the connection isinstantiated.
 12. The method of claim 1, wherein the client device andthe networked media device reside on networks that are incommunicablewith each other comprising at least one of a firewall separation, adifferent network separation, a physical separation, and an unreachableconnection separation, and wherein the sandboxed application of thesecurity sandbox of the client device and the sandbox reachable serviceof the networked media device communicate with each other through arelay service employed by a pairing server having a discovery module anda relay module to facilitate a trusted communication between thesandboxed application and the sandbox reachable service.
 13. The methodof claim 12: wherein the trusted communication is facilitated such thatthe sandboxed application never learns at least one of a private IPaddress and a hardware address of the networked media device when: afirst Network Address Translator (NAT) device coupled with a network onwhich the client device operates receives communications from a publicIP address of a different network on which the sandbox reachable serviceoperates, and a second NAT device coupled with the different network onwhich the networked media device operates translates the private IPaddress of the networked media device to the public IP address visibleto the sandboxed application.
 14. The method of claim 12: wherein thenetworked media device comprises a plurality of sandbox reachableapplications including the sandbox reachable application, wherein aservice agent module of the networked media device coordinatescommunications with a discovery module of at least one of the securitysandbox and the pairing server, wherein the security sandbox is at leastone of an operating system on which the sandboxed application is hostedand a browser application of the operating system, and wherein thenetworked media device is at least one of a television, a projectionscreen, a multimedia display, a touchscreen display, an audio device,and a multidimensional visual presentation device.
 15. The method ofclaim 12, further comprising: utilizing at least one of a WebSocket anda long polling service message query interface to reduce a latency ofmessage delivery during the trusted communication between the sandboxedapplication and the sandbox reachable service; and optimizing a pollingperiod between polling to be less than a timeout period of a sessionthrough the relay service.
 16. The method of claim 12, furthercomprising: initiating the relay service through at least one of aseries of web pages where information is communicated using hyperlinksthat point at the pairing server, and a form having a confirmationdialog that is submitted back to the pairing server, and wherein aglobal unique identifier is masked through the pairing server when theconfirmation dialog is served from the pairing server.
 17. The method ofclaim 1, wherein a cookie associated with the security sandbox is usedto store a remote access token on a storage of the client device,wherein the remote access token identifies at least one of a set ofcommunicable private IP addresses and hardware addresses associated withsandbox reachable services that previously operated on a common sharednetwork with the client device, and wherein the client device cancommunicate with the sandbox reachable services that previously operatedon the common shared network through the remote access token.
 18. Amethod of a networked device comprising: associating with a clientdevice executing a sandboxed application by way of a sandbox reachableservice executing on the networked device using a communication providedby the networked device, the client device constraining an executableenvironment in a security sandbox and executing the sandboxedapplication in the constrained executable environment; applying anautomatic content recognition algorithm to determine a contentidentifier of an audio-visual data; associating the content identifierwith an advertisement data based on a semantic correlation between ametadata of the advertisement data provided by a content provider andthe content identifier; targeting the advertisement data at the clientdevice based on the association of the content identifier with theadvertisement data and the association between the client device and thenetworked device; and improving targeting of the advertisement data inaccordance with the association between the client device and thenetworked device based on embedding a script is in at least one of theclient device, a supply-side platform, and a data provider integratedwith the supply side platform to enable execution of arbitrarycross-site scripts in the sandboxed application of the client device.19. The method of claim 12, further comprising: accessing a pairingserver when processing an identification data associated with thesandbox reachable service of the networked device that shares a publicaddress with the client device, wherein the pairing server performs adiscovery lookup of any device that has announced that it shares thepublic address associated with the client device, and wherein thesandbox reachable service announces itself to the pairing server priorto establishment of a communication session between the sandboxedapplication and the sandbox reachable service; appending a header of ahypertext transfer protocol to permit the networked device tocommunicate with the sandboxed application as a permitted origin domainthrough a CORS algorithm, the header being either one of a origin headerwhen the CORS algorithm is applied and a referrer header in an alternatealgorithm in accordance with the client device: processing theidentification data associated with the sandbox reachable servicesharing the public address with the client device; determining a privateaddress pair of the sandbox reachable service based on theidentification data; and establishing the communication session betweenthe sandboxed application and the sandbox reachable service using across-site scripting technique of the security sandbox, wherein thesandboxed application queries a MAC address of the sandbox reachableservice in a common private network, wherein the method furthercomprises the sandbox reachable service optionally verifying that thesandboxed application is in the common private network, wherein themethod further comprises the sandbox reachable service communicating aMAC address of the sandboxed application to the sandboxed applicationwhen the common private network is shared, wherein the sandboxedapplication stores the MAC address of the sandboxed application and aunique identifier derived from the MAC address of the sandboxedapplication, and wherein the sandboxed application communicates the MACaddress and the unique identifier to the pairing server; andautomatically regenerating the script embedded in the at least one ofthe client device, the supply-side platform, and the data providerintegrated with the supply side platform when the common private networkis shared by the sandboxed application and the sandbox reachable servicebased on the MAC address of the sandboxed application and the uniqueidentifier communicated to the pairing server.
 20. The method of claim19, wherein the communication session is established between thesandboxed application and the sandbox reachable service in accordancewith the client device: extending the security sandbox with a discoveryalgorithm and a relay algorithm through a discovery module and a relaymodule added to the security sandbox; and bypassing the pairing serverhaving a discovery algorithm and a relay algorithm when establishing thecommunication session between the sandboxed application and the sandboxreachable service when the security sandbox is extended with thediscovery algorithm and the relay algorithm through the discovery moduleand the relay module added to the security sandbox.
 21. The method ofclaim 20: wherein the client device and the networked device reside onnetworks that are incommunicable with each other comprising at least oneof a firewall separation, a different network separation, a physicalseparation, and an unreachable connection separation, and wherein thesandboxed application of the security sandbox of the client device andthe sandbox reachable service of the networked device communicate witheach other through a relay service employed by the pairing server havingthe discovery module and the relay module to facilitate a trustedcommunication between the sandboxed application and the sandboxreachable service.
 22. The method of claim 21: wherein the trustedcommunication is facilitated such that the sandboxed application neverlearns at least one of a private IP address and a hardware address ofthe networked device when: a first NAT device coupled with a network onwhich the client device operates receives communications from a publicIP address of a different network on which the sandbox reachable serviceoperates, and a second NAT device coupled with the different network onwhich the networked device operates translates the private IP address ofthe networked device to the public IP address visible to the sandboxedapplication.
 23. The method of claim 21, wherein the communicationsession is established between the sandboxed application and the sandboxreachable service in accordance with the client device: utilizing atleast one of a WebSocket and a long polling service message queryinterface to reduce a latency of message delivery during the trustedcommunication between the sandboxed application and the sandboxreachable service; and optimizing a polling period between polling to beless than a timeout period of a session through the relay service. 24.The method of claim 21, wherein the communication session is establishedbetween the sandboxed application and the sandbox reachable service inaccordance with the client device: initiating the relay service throughat least one of a series of web pages where information is communicatedusing hyperlinks that point at the pairing server, and a form having aconfirmation dialog that is submitted back to the pairing server,wherein a global unique identifier is masked through the pairing serverwhen the confirmation dialog is served from the pairing server.
 25. Themethod of claim 20, wherein the communication session is establishedbetween the sandboxed application and the sandbox reachable service inaccordance with the client device: applying the discovery algorithm ofthe security sandbox to determine that the networked device having thesandbox reachable service communicates in a shared network common to theclient device and the networked device; and applying the relay algorithmof the security sandbox to establish the communication session betweenthe sandboxed application and the sandbox reachable service of thenetworked device.
 26. The method of claim 20: wherein the discoveryalgorithm utilizes a protocol comprising at least one of a Bonjour®protocol, a SSDP protocol, a LSD uTorrent® protocol, a multicastprotocol, an anycast protocol, and another Local Area Network basedprotocol that discovers services in a Local Area Network based on abroadcast from any one of an operating system service, the securitysandbox, the client device, the sandbox reachable service, and thenetworked device.
 27. The method of claim 20: wherein the networkeddevice comprises a plurality of sandbox reachable applications includingthe sandbox reachable application, wherein a service agent module of thenetworked device coordinates communications with the discovery module ofat least one of the security sandbox and the pairing server, wherein thesecurity sandbox is at least one of an operating system on which thesandboxed application is hosted and a browser application of theoperating system, and wherein the networked device is at least one of atelevision, a projection screen, a multimedia display, a touchscreendisplay, an audio device, a weather measurement device, a trafficmonitoring device, a status update device, a global positioning device,a geospatial estimation device, a tracking device, a bidirectionalcommunication device, a unicast device, a broadcast device, and amultidimensional visual presentation device.
 28. The method of claim 19wherein: the pairing server performs a discovery lookup of any devicethat has announced sharing of the public address associated with theclient device, and the method further comprises the sandbox reachableservice announcing itself to the pairing server prior to theestablishment of the communication session between the sandboxedapplication and the sandbox reachable service.
 29. The method of claim28 further comprising at least one of: announcing an availability of thesandbox reachable service across a range of public addresses such thatthe sandboxed application communicates with the sandbox reachableservice in any one of the range of the public addresses; andcommunicating at least one of a global unique identifier, a hardwareaddress, and an alphanumeric name to the pairing server along with theprivate address pair of the sandbox reachable service, wherein theprivate address pair includes a private IP address and a port numberassociated with the sandbox reachable service.
 30. The method of claim19: wherein the sandboxed application is at least one of a web page, ascript, a binary executable, an intermediate bytecode, an abstractsyntax tree, and an executable application in the security sandbox,wherein the sandboxed application comprises at least one of a HTML5application, a Javascript® application, an Adobe® Flash® application, aMicrosoft® Silverlight® application, a JQuery® application, anAsynchronous Javascript® and an XML (AJAX) application, and wherein anaccess control algorithm governs a policy through which a secondaryauthentication is required when establishing the communication sessionbetween the sandboxed application and the networked device.
 31. Themethod of claim 30, wherein the communication session is establishedbetween the sandboxed application and the sandbox reachable service inaccordance with the client device: utilizing an exception to a sameorigin policy through a use of at least one of a hyperlink, a form, thescript, a frame, a header, and an image.
 32. The method of claim 19,further comprising: eliminating a communication through a centralizedinfrastructure when the sandboxed application and the sandbox reachableservice communicate in a shared network common to the client device andthe networked device when the communication session is established, theshared network being at least one of a local area network, a multicastnetwork, an anycast network, and a multilan network; minimizing alatency in the communication session when the sandboxed application andthe sandbox reachable service communicate in the shared network commonto the client device and the networked device when the communicationsession is established; and improving privacy in the communicationsession when the sandboxed application and the sandbox reachable servicecommunicate in the shared network common to the client device and thenetworked device when the communication session is established.
 33. Themethod of claim 18, comprising: associating the content identifier withthe advertisement data generated through an advertising exchange serverbased on the content identifier and a public IP address associated withan application requesting the advertisement data, wherein at least oneof: a provider of the content identifier receives a compensation whenthe advertisement data is associated with the audio-visual data based onthe public IP address associated with the application requesting theadvertisement data, the provider of the content identifier appends atleast one of a set of content identifiers from associated clients and aviewing history from the associated clients to a plurality ofadvertisements and resells the advertisement data back to an advertisingexchange based on the appended content identifiers, a captureinfrastructure annotates the audio-visual data with at least one of abrand name and a product name by comparing entries in a master databasewith at least one of a closed captioning data of the audio-visual dataand through application of an optical character recognition algorithm tothe audio-visual data, the sandboxed application of the client devicerequests access to at least one of a microphone and a camera on theclient device to capture a raw audio/video data, the captureinfrastructure processes the raw audio/video data with the at least oneof the brand name and the product name by comparing the entries in themaster database with at least one of the raw audio/video data andthrough application of a sensory recognition algorithm of the rawaudio/video data, the content identifier is at least one of a musicidentification, an object identification, a facial identification, and avoice identification, wherein a minimal functionality comprisingaccessing at least one of a tuner and a stream decoder that identifiesat least one of a channel and a content is found in the networkeddevice, the method further comprises producing, through the networkeddevice, at least one of an audio fingerprint and a video fingerprintthat is communicated with the capture infrastructure, the captureinfrastructure compares the at least one of the audio fingerprint andthe video fingerprint with the master database, the captureinfrastructure annotates the audio-visual data with a logo name bycomparing the entries in the master database with a logo data of theaudio-visual data identified using a logo detection algorithm, thecapture infrastructure automatically divides the audio-visual data intoa series of scenes based on a semantic grouping of actions in theaudio-visual data, the audio-visual data is analyzed in advance of abroadcast to determine content identifiers associated with eachcommercial in the audio-visual data such that advertisements arepre-inserted into the audio-visual data prior to the broadcast, thecapture infrastructure applies a time-order algorithm to automaticallymatch the advertisements to the audio-visual data when a correlationpattern is identified by the capture infrastructure with otheraudio-visual content previously analyzed, the capture infrastructureincludes a buffer that is saved to a persistent storage and for which alabel is generated to facilitate identification of reoccurringsequences, a post processing operation is at least one of automatedthrough a post-processing algorithm and a crowd-sourced operation usinga plurality of users in which a turing test is applied to determine averacity of an input, a device pairing algorithm is used in which acookie data associated with a web page visited by a user stored on abrowser on the client device is paired with the networked device whenthe client device is communicatively coupled with the networked device,a transitive public IP matching algorithm is utilized in which at leastone of the client device and the networked device communicates eachpublic IP address with any paired entity to the capture infrastructure,a tag that is unconstrained from a same-origin policy is used toautomatically load an advertisement in the browser, and the tag is atleast one of an image tag, a frame, a iframe, and a script tag.
 34. Themethod of claim 18: wherein a cookie associated with the securitysandbox is used to store a remote access token on a storage of theclient device, wherein the remote access token identifies at least oneof a set of communicable private IP addresses and hardware addressesassociated with sandbox reachable services that previously operated on acommon shared network with the client device, and the client device cancommunicate with the sandbox reachable services that previously operatedon the common shared network through the remote access token.
 35. Asystem comprising: a client device to: constrain an executableenvironment in a security sandbox, and execute a sandboxed applicationin the constrained executable environment; and a networked device toexecute a sandbox reachable service thereon, the client device and thenetworked device are associated with each other through the sandboxedapplication by way of the sandbox reachable service using acommunication provided by the networked device, wherein at least one of:the networked device and the client device is configured to apply anautomatic content recognition algorithm to determine a contentidentifier of an audio-visual data and to associate the contentidentifier with an advertisement data based on a semantic correlationbetween a metadata of the advertisement data provided by a contentprovider and the content identifier, wherein the at least one of thenetworked device and the client device is configured to target theadvertisement data at a corresponding at least one of: the client deviceand the networked device based on the association of the contentidentifier with the advertisement data and the association between theclient device and the networked device, and wherein targeting of theadvertisement data is improved based on embedding a script in at leastone of the client device, a supply-side platform, and a data providerintegrated with the supply side platform to enable execution ofarbitrary cross-site scripts through the sandboxed application.
 36. Thesystem of claim 35: wherein a communication session is establishedbetween the sandboxed application and the sandbox reachable service byappending a header of a hypertext transfer protocol to permit thenetworked device to communicate with the sandboxed application as apermitted origin domain through a CORS algorithm, the header beingeither one of a origin header when the CORS algorithm is applied and areferrer header in an alternate algorithm, wherein the sandboxedapplication queries a MAC address of the sandbox reachable service in acommon private network, wherein the sandbox reachable service optionallyverifies that the sandboxed application is in the common privatenetwork, wherein the sandbox reachable service communicates a MACaddress of the sandboxed application to the sandboxed application whenthe common private network is shared, wherein the sandboxed applicationstores the MAC address of the sandboxed application and a uniqueidentifier derived from the MAC address of the sandboxed application,wherein the sandboxed application communicates the MAC address and theunique identifier to a pairing server of the system, and wherein thescript embedded in the at least one of the client device, thesupply-side platform, and the data provider integrated with the supplyside platform is automatically regenerated when the common privatenetwork is shared by the sandboxed application and sandboxed reachableservice based on the MAC address of the sandboxed application and theunique identifier communicated to the pairing server.
 37. The system ofclaim 36, wherein the client device is configured to: extend thesecurity sandbox with a discovery algorithm and a relay algorithmthrough a discovery module and a relay module added to the securitysandbox, and bypass the pairing server having the discovery algorithmand the relay algorithm when establishing the communication sessionbetween the sandboxed application and the sandbox reachable service whenthe security sandbox is extended with the discovery algorithm and therelay algorithm through the discovery module and the relay module addedto the security sandbox.
 38. The system of claim 37: wherein the clientdevice and the networked device reside on networks that areincommunicable with each other comprising at least one of a firewallseparation, a different network separation, a physical separation, andan unreachable connection separation, and wherein the sandboxedapplication of the security sandbox of the client device and the sandboxreachable service of the networked device communicate with each otherthrough a relay service employed by the pairing server having thediscovery module and the relay module to facilitate a trustedcommunication between the sandboxed application and the sandboxreachable service.
 39. The system of claim 38: wherein the trustedcommunication is facilitated such that the sandboxed application neverlearns at least one of a private IP address and a hardware address ofthe networked device when: a first NAT device coupled with a network onwhich the client device operates receives communications from a publicIP address of a different network on which the sandbox reachable serviceoperates, and a second NAT device coupled with the different network onwhich the networked device operates translates the private IP address ofthe networked device to the public IP address visible to the sandboxedapplication.
 40. The system of claim 38, wherein the client device isconfigured to: utilize at least one of a WebSocket and a long pollingservice message query interface to reduce a latency of message deliveryduring the trusted communication between the sandboxed application andthe sandbox reachable service, and optimize a polling period betweenpolling such that it is to be less than a timeout period of a sessionthrough the relay service.
 41. The system of claim 38, wherein theclient device is configured to: initiate the relay service through atleast one of a series of web pages where information is communicatedusing hyperlinks that point at the pairing server, and a form having aconfirmation dialog that is submitted back to the pairing server,wherein a global unique identifier is masked through the pairing serverwhen the confirmation dialog is served from the pairing server.
 42. Thesystem of claim 37, wherein the client device is configured to: applythe discovery algorithm of the security sandbox to determine that thenetworked device having the sandbox reachable service communicates in ashared network common to the client device and the networked device, andapply the relay algorithm of the security sandbox to establish thecommunication session between the sandboxed application and the sandboxreachable service of the networked device.
 43. The system of claim 37:wherein the discovery algorithm utilizes a protocol comprising at leastone of a Bonjour® protocol, a SSDP protocol, a LSD uTorrent® protocol, amulticast protocol, an anycast protocol, and another Local Area Networkbased protocol that discovers services in a Local Area Network based ona broadcast from any one of an operating system service, the securitysandbox, the client device, the sandbox reachable service, and thenetworked device.
 44. The system of claim 37: wherein the networkeddevice comprises a plurality of sandbox reachable applications includingthe sandbox reachable application, wherein a service agent module of thenetworked device coordinates communications with the discovery module ofat least one of the security sandbox and the pairing server, wherein thesecurity sandbox is at least one of an operating system on which thesandboxed application is hosted and a browser application of theoperating system, and wherein the networked device is at least one of atelevision, a projection screen, a multimedia display, a touchscreendisplay, an audio device, a weather measurement device, a trafficmonitoring device, a status update device, a global positioning device,a geospatial estimation device, a tracking device, a bidirectionalcommunication device, a unicast device, a broadcast device, and amultidimensional visual presentation device.
 45. The system of claim 36,wherein: the client device accesses the pairing server when processingidentification data associated with the sandbox reachable servicesharing a public address with the client device, the pairing serverperforms a discovery lookup of any device that has announced sharing ofthe public address associated with the client device, and the sandboxreachable service announces itself to the pairing server prior to theestablishment of the communication session between the sandboxedapplication and the sandbox reachable service.
 46. The system of claim45, wherein the networked device is configured to at least one of:announce the sandbox reachable service to a discovery module using aprocessor and a memory, announce an availability of the sandboxreachable service across a range of public addresses such that thesandboxed application communicates with the sandbox reachable service inany one of the range of the public addresses, communicate at least oneof a global unique identifier and an alphanumeric name to the pairingserver along with at least one of a hardware address associated with thenetworked device, a public address pair associated with the sandboxreachable service of the networked device, and a private address pairassociated with the sandbox reachable service of the networked device,wherein the private address pair includes a private IP address and aport number associated with the sandbox reachable service.
 47. Thesystem of claim 36: wherein the sandboxed application is at least one ofa web page, a script, a binary executable, an intermediate bytecode, anabstract syntax tree, and an executable application in the securitysandbox, wherein the sandboxed application comprises at least one of aHTML5 application, a Javascript® application, an Adobe® Flash®application, a Microsoft® Silverlight® application, a JQuery®application, an Asynchronous Javascript® and an XML (AJAX) application,and wherein an access control algorithm governs a policy through which asecondary authentication is required when establishing the communicationsession between the sandboxed application and the networked device. 48.The system of claim 47, wherein the client device is configured to:utilize an exception to a same origin policy through a use of at leastone of a hyperlink, a form, the script, a frame, a header, and an imagewhen establishing the communication session between the sandboxedapplication and the sandbox reachable service.
 49. The system of claim36, wherein the client device is configured to: enable elimination of acommunication through a centralized infrastructure when the sandboxedapplication and the sandbox reachable service communicate in a sharednetwork common to the client device and the networked device when thecommunication session is established, the shared network being at leastone of a local area network, a multicast network, an anycast network,and a multilan network, minimize a latency in the communication sessionwhen the sandboxed application and the sandbox reachable servicecommunicate in the shared network common to the client device and thenetworked device when the communication session is established, andimprove privacy in the communication session when the sandboxedapplication and the sandbox reachable service communicate in the sharednetwork common to the client device and the networked device when thecommunication session is established.
 50. The system of claim 35,wherein at least one of: the system further comprises a captureinfrastructure to annotate the audio-visual data with at least one of abrand name and a product name by comparing entries in a master databasewith at least one of a closed captioning data of the audio-visual dataand through application of an optical character recognition algorithm tothe audio-visual data, the system further comprises an advertisingexchange server to generate an advertisement based on the contentidentifier of the audio-visual data and a public IP address associatedwith an application requesting the advertisement data, the contentidentifier is obfuscated in a manner relevant to a particulardemand-side platform to eliminate a need to query a provider of thecontent identifier on a per ad-spot basis, the demand-side platform isconfigured to submit requests to the advertising exchange based on aconstraint type rather than through a bidding methodology on a peradvertisement spot basis, the provider of the content identifierreceives a compensation when the advertisement data is associated withthe audio-visual data based on the public IP address associated with theapplication requesting the advertisement data, the provider of thecontent appends at least one of a set of content identifiers fromassociated clients and a viewing history from the associated clients toa plurality of advertisements and resells the advertisement data back toan advertising exchange based on the appended content identifiers, thesandboxed application of the client device requests access to at leastone of a microphone and a camera on the client device to capture a rawaudio/video data, the capture infrastructure processes the rawaudio/video data with the at least one of the brand name and the productname by comparing the entries in the master database with at least oneof the raw audio/video data and through application of a sensoryrecognition algorithm of the raw audio/video data, the contentidentifier is at least one of a music identification, an objectidentification, a facial identification, and a voice identification, aminimal functionality comprising accessing at least one of a tuner and astream decoder that identifies at least one of a channel and a contentis found in the networked device, the networked device produces at leastone of an audio fingerprint and a video fingerprint that is communicatedwith the capture infrastructure, the capture infrastructure compares theat least one of the audio fingerprint and the video fingerprint with themaster database, the capture infrastructure annotates the audio-visualdata with a logo name by comparing the entries in the master databasewith a logo data of the audio-visual data identified using a logodetection algorithm, the capture infrastructure automatically dividesthe audio-visual data into a series of scenes based on a semanticgrouping of actions in the audio-visual data, the audio-visual data isanalyzed in advance of a broadcast to determine content identifiersassociated with each commercial in the audio-visual data such thatadvertisements are pre-inserted into the audio-visual data prior to thebroadcast, the capture infrastructure applies a time-order algorithm toautomatically match advertisements to the audio-visual data when acorrelation pattern is identified by the capture infrastructure withother audio-visual content previously analyzed, the captureinfrastructure includes a buffer that is saved to a persistent storageand for which a label is generated to facilitate identification ofreoccurring sequences, a post processing operation is at least one ofautomated through a post-processing algorithm and a crowd-sourcedoperation using a plurality of users in which a turing test is appliedto determine a veracity of an input, a device pairing algorithm is usedin which a cookie data associated with a web page visited by a userstored on a browser on the client device is paired with the networkeddevice when the client device is communicatively coupled with thenetworked device, a transitive public IP matching algorithm is utilizedin which the at least one of the client device and the networked devicecommunicates each public IP address with any paired entity to thecapture infrastructure, a tag that is unconstrained from a same-originpolicy is used to automatically load the advertisement in the browser,and the tag is at least one of an image tag, a frame, a iframe, and ascript tag.
 51. The system of claim 35: wherein a cookie associated withthe security sandbox is used to store a remote access token on a storageof the client device, wherein the remote access token identifies atleast one of a set of communicable private IP addresses and hardwareaddresses associated with sandbox reachable services that previouslyoperated on a common shared network with the client device, and whereinthe client device can communicate with the sandbox reachable servicesthat previously operated on the common shared network through the remoteaccess token.